Protect your web app from malicious requests by using CSRF protection tokens in links and forms. This CSRF protection library does not use sessions, files, memory storage or databases.
In the examples below you'll find the 3 most important methods:
TokenManager::create();
TokenManager::createHtmlField();
TokenManager::validate();
The full namespace is InternetPixels\CSRFProtection\TokenManager
.
You have to set some settings for a secure TokenManager. Please overwrite the salt by your own one.
<?php
TokenManager::setSalt('P*17OJznMttaR#Zzwi4YhAY!H7hPGUCd', 'ERGirehgr4893ur43tjrg98rut98ueowifj');
TokenManager::setUserId(7);
TokenManager::setSessionToken('session_token');
The TokenManager can improve the security
<form action="/your/page" method="post">
<?= TokenManager::createHtmlField('my_form') ?>
</form>
When a user wants to delete an item in your application, you want to be sure that the request is valid. Create a token and add it in the link to your delete page.
<a href="/posts/delete/1?token=<?= TokenManager::create('delete_post') ?>">Delete Post</a>
In the delete action you want to validate the token with the TokenManager::validate()
method.
Once a user is posting the form data to your server(s), you'll first need to validate the given token. By default, the field name used is _token
.
<?php
if( filter_has_var(INPUT_POST, '_token') ) {
if( TokenManager::validate('my_form', filter_input(INPUT_POST, '_token')) ) {
// valid token
}
else {
// invalid token
}
}