https://github.com/invalidusrname/csrf

A PHP Kohana 3 module for CSRF prevention. This module includes special handling and sample code for implementation with AJAX requests. Includes user agent validation, timeouts (expiration), and private key salted two-way encryption using mcrypt.
https://github.com/invalidusrname/csrf

Last synced: about 1 year ago
JSON representation

A PHP Kohana 3 module for CSRF prevention. This module includes special handling and sample code for implementation with AJAX requests. Includes user agent validation, timeouts (expiration), and private key salted two-way encryption using mcrypt.

• Host: GitHub
• URL: https://github.com/invalidusrname/csrf
• Owner: invalidusrname
• License: mit
• Created: 2011-01-21T22:00:23.000Z (over 15 years ago)
• Default Branch: master
• Last Pushed: 2011-01-21T23:06:56.000Z (over 15 years ago)
• Last Synced: 2025-03-24T01:13:32.578Z (about 1 year ago)
• Language: PHP
• Homepage:
• Size: 360 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
CSRF for Kohana 3

=================

Usage

-------------

**Implementation for Pages with Forms**

There are a few different use cases for the CSRF module. The most common is to automatically add CSRF protection to 

a form on your website. Below is a quick example:

	 'post')); ?>

		

		

		Submit

	

CSRF_Form overrides Kohana_Form and as such there are no differences in the parameters you may pass to the open() method.

The open() method includes special handling for generating a hidden form element as well as javascript for generating

and returning a new token to be used in coordination with AJAX handlers:

	// below is the pertinent snippet of CSRF_Form::open()

	if ($attributes['method'] = 'post') {

		$output .= '';

		$output .= CSRF::javascript();

	}

	// below is the pertinent snippet of CSRF::javascript()

	$javascript  = '';

	$javascript .= 'var csrf_token = "' . $current_token . '";';

	$javascript .= 'var csrf_invalidated = false;';

	$javascript .= 'function getToken(callback) { $.getJSON("'.url::site('csrf/generate/').'", function(json) { csrf_token = json.token; csrf_invalidated = false; $(form).each(function(){ $(this).find("#csrf_token").val(csrf_token); }); if ($.isFunction(callback)) callback.call(this, csrf_token); }); }';

	$javascript .= '';

**Validating Form Submissions**

In order to validate that a form is not forged, you would include the following in your controller or model method:

	if (Request::$method == 'POST') {

		if (!isset($_POST['csrf_token']) || CSRF::valid($_POST['csrf_token'])) {

			// possible cross-site request forgery

		} else {

			// perform further form validation

		}

	}

**Implementation for AJAX Only Pages**

If your page only has AJAX requests and no forms that need to be validated, you will need to add the javascript to your page

before any of the AJAX handling code is added:

	

**Caveats of AJAX CSRF Protection (and a workaround)**

It's worth noting that any call made to CSRF::valid() will delete the current csrf-token session variable. This means that if you

have multiple AJAX requests on a page, only the first one will be valid without implementing further frontend handling. To combat 

this, you will need to ensure that you generate a new token after each AJAX request. 

	

	// below is a globally set variable you need to maintain for whether to get a new token

	var csrf_invalidated = false;

	function ajaxyLogin(email, password) {

		// if invalidated, request a new token and pass ajaxyLogin as a callback.

		if (csrf_invalidated) {

			getToken(ajaxyLogin);

			return false;

		}

		$.post('/ajax/login/', { csrf_token: csrf_token, email: email, password: password }, function(data) {

			// you need to manually invalidate the token

			csrf_invalidated = true;

			// suggested usage is to automatically regenerate token in callback

			getToken();

		});

	}

	

To combat the scenario of an AJAX request invalidating a subsequent form submission, it is recommended that you run

getToken() in the callback handling of your AJAX request. This will ensure that any forms on your page will have their

hidden input tokens updated accordingly.

**Validating AJAX Submissions**

In order to validate that an AJAX post is not forged, you must remember to include the csrf_token javascript global variable in your 

request. From there, you're going to want to validate it in your controller or model method:

	if (Request::$method == 'POST' && Request::$is_ajax) {

		if (!isset($_POST['csrf_token']) || CSRF::valid($_POST['csrf_token'])) {

			// possible cross-site request forgery

	} else {

		// perform further form validation

	}

Requirements

------------

* The PHP mcrypt module (php-mcrypt or php5-mcrypt depending on your distro)

* jQuery >= 1.3.2