Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/foxbunny/csrf4php
Cross-Site Request Forgery protection kit for PHP
https://github.com/foxbunny/csrf4php
Last synced: 28 days ago
JSON representation
Cross-Site Request Forgery protection kit for PHP
- Host: GitHub
- URL: https://github.com/foxbunny/csrf4php
- Owner: foxbunny
- License: gpl-3.0
- Created: 2010-12-09T00:46:26.000Z (about 14 years ago)
- Default Branch: master
- Last Pushed: 2012-08-16T13:14:48.000Z (over 12 years ago)
- Last Synced: 2023-03-12T08:34:22.395Z (almost 2 years ago)
- Language: PHP
- Homepage:
- Size: 356 KB
- Stars: 25
- Watchers: 2
- Forks: 10
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
CSRF4PHP: Cross-Site Request Forgery protection kit for for PHP
===============================================================This file contains the CsrfToken class that handles genration and checking
of [Synchronization tokens](http://bit.ly/owasp_synctoken).In future more features will be incorporated into this kit, but the CsrfToken
class is the most important part of the puzzle.Note on compatibility
---------------------This kit was written for PHP version 5.3 and upwards. It has not been, and will
not be tested on any previous version of PHP. I believe the code would work
provided you remove the namespace line from ``CsrfToken.php`` (or any other
piece of code that you may find in this package), and use CsrfToken without the
namespaces.To use in pre-5.3 PHP version try removing the namespace declaration and the
followed use statement.Basic usage scenario
--------------------The basic usage involves initializing an instance at some point, calling
either the `generateHiddenField()` or `generateToken()` methods. The former produces
an XHTML-compliant input element, whereas the latter produces a raw
Base64-encoded string. In another request, the request can be tested for
authenticity (to the best of this script's author's knowledge) by calling
the `checkToken()` method.The `generateHiddenField()` and `generateToken()` create a `$_SESSION['csrf']`
array, which contains the material for token creation. This data is
preserved so that the token can be checked later.License
-------Copyright (c)2010-2012 by Branko Vukelic and Oleg Stepura. All rights reserved.
This program is free software: you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation, either version 3 of the License, or (at your option) any later
version. (See ``LICENSE`` file for the exact text of the GPL license.)At your option, you may redistribute and/or modify this program under the terms
of GNU Lesser General Public License as published by the Free Software
Foundation, either version 3 of the License, or (at your option) any later
version. (See ``LGPL`` file for the exact text of LGPL license.)This program is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with
this program. If not, see .Disclaimer
----------This script has not been widely tested (actually, it's been only tested on
a local host), so I do not recommend using it without sufficient testing.
That said, I do think it will work as expected.TODO
----* Write unit tests for the CsrfToken class.
* Implement a helper function or class for checking the HTTP Referrer header.