Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/paragonie/anti-csrf

Full-Featured Anti-CSRF Library
https://github.com/paragonie/anti-csrf

Last synced: 2 days ago
JSON representation

Full-Featured Anti-CSRF Library

Host: GitHub
URL: https://github.com/paragonie/anti-csrf
Owner: paragonie
License: agpl-3.0
Created: 2015-02-28T02:20:23.000Z (over 9 years ago)
Default Branch: master
Last Pushed: 2024-09-11T07:56:14.000Z (about 2 months ago)
Last Synced: 2024-10-26T13:44:22.061Z (8 days ago)
Language: PHP
Homepage: https://paragonie.com/projects
Size: 116 KB
Stars: 297
Watchers: 21
Forks: 52
Open Issues: 15
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # Anti-CSRF Library

[![Build Status](https://github.com/paragonie/anti-csrf/actions/workflows/ci.yml/badge.svg)](https://github.com/paragonie/anti-csrf/actions)

[![Latest Stable Version](https://poser.pugx.org/paragonie/anti-csrf/v/stable)](https://packagist.org/packages/paragonie/anti-csrf)

[![Latest Unstable Version](https://poser.pugx.org/paragonie/anti-csrf/v/unstable)](https://packagist.org/packages/paragonie/anti-csrf)

[![License](https://poser.pugx.org/paragonie/anti-csrf/license)](https://packagist.org/packages/paragonie/anti-csrf)

[![Downloads](https://img.shields.io/packagist/dt/paragonie/anti-csrf.svg)](https://packagist.org/packages/paragonie/anti-csrf)

## Motivation

There aren't any good session-powered CSRF prevention libraries. By good we mean:

* CSRF tokens can be restricted to any or all of the following:

  * A particular session

  * A particular HTTP URI

  * A particular IP address (optional)

* Multiple CSRF tokens can be stored

* CSRF tokens expire after one use

* An upper limit on the number of tokens stored with session data is enforced

  * In our implementation, the oldest are removed first

**Warning** - Do not use in any project where all `$_SESSION` data is stored 

client-side in a cookie. This will quickly run up the 4KB storage max for 

an HTTP cookie.

## Using it in Any Project

See `autoload.php` for an SPL autoloader.

## Using it with Twig templates

First, add a filter like this one:

```php

use \ParagonIE\AntiCSRF\AntiCSRF;

$twigEnv->addFunction(

    new \Twig\TwigFunction(

        'form_token',

        function($lock_to = null) {

            static $csrf;

            if ($csrf === null) {

                $csrf = new AntiCSRF;

            }

            return $csrf->insertToken($lock_to, false);

        },

        ['is_safe' => ['html']]

    )

);

```

Next, call the newly created form_token function from your templates.

```twig

    {{ form_token("/addUser.php") }}

    {# ... the rest of your form here ... #}

```

## Validating a Request

```php

    $csrf = new \ParagonIE\AntiCSRF\AntiCSRF;

    if (!empty($_POST)) {

        if ($csrf->validateRequest()) {

            // Valid

        } else {

            // Log a CSRF attack attempt

        }

    }

```

## Support Contracts

If your company uses this library in their products or services, you may be

interested in [purchasing a support contract from Paragon Initiative Enterprises](https://paragonie.com/enterprise).