README

Stateless CSRF (Cross-Site Request Forgery) token service 🍖

Install

$ composer require schnittstabil/csrf-tokenservice

Usage

<?php
require __DIR__.'/vendor/autoload.php';

use Schnittstabil\Csrf\TokenService\TokenService;

// Shared secret key used for generating and validating token signatures:
$key = 'This key is not so secret - change it!';

// Time to Live in seconds; default is 1440 seconds === 24 minutes:
$ttl = 1440;

// create the TokenService
$tokenService = new TokenService($key, $ttl);

// generate a URL-safe token, using the name of the authenticated user as nonce:
$token = $tokenService->generate($_SERVER['PHP_AUTH_USER']);

// validate the token - stateless; no session needed
if (!$tokenService->validate($_SERVER['PHP_AUTH_USER'], $token)) {
    http_response_code(403);
    echo '<h2>403 Access Forbidden, bad CSRF token</h2>';
    exit();
}

Related

• schnittstabil/psr7-csrf-middleware – (stateless) PSR-7 CSRF protection middleware
• schnittstabil/csrf-twig-helpers – Twig helpers for token rendering

License

MIT © Michael Mayer