This is a PHP Cross-Site Request Forgery (CSRF) prevention library using the Double Cookie Submit method. This particular method allows easy implementation and scalability versus the Synchronizer Token method which requires a database session. However, the Synchronizer method may be a future feature added on later.
My goal for this library was to built in something a little more complex than the typical the other Double Cookie Submit libraries out there that only checks the POST value against the cookie. There's a lite version and a full version. The full version will check the IP and browser headers while the lite version checks just the IP address. Opt for the light version if you're concern about the length of the nonce created by the library.
Included in the repository is an index.php that has examples on how to implement the CSRF library.
This library has a method that can generate a hidden form input that you can use in your view.
$echo (new \Tyndale\CSRF())->generate_form_field();
Which would yield this output:
<input type="hidden" name="nonce" value ="UlFIVDh2aEN6aGlJK0wwOXR5bVo1eEcwN2grNEZXSGdqR25QT2FEN291Um05dWt5RnFSMGgrczdyTWFhNkdQWA==" />You can then do something like the following snippet to verify the nonce.
if ( \Tyndale\CSRF::validate($_POST['nonce']) ) {
echo 'valid';
};If you just want just the nonce value, that is possible as well. The following code would provide you a nonce value with an expiration of 5 minutes (default is 1 hour if the parameter is left empty).
echo (new \Tyndale\CSRF())->create(5);Feel free to take it and use/modify as you please.
The code is open source and available under the MIT License.
Detectify is a great tool for scanning your websites for vulnerabilities in your code.