Quick CSRF offers stateless CSRF protection for forms that requires almost zero-configuration. It uses the JSON Web Token standard so it does not depend on session/cookies.
Quick CSRF depends on the beautiful lcobucci/jwt JWT implementation.
Edit your project's composer.json to require zoxta/csrf.
"require": {
"zoxta/csrf": "dev-master"
}
Then run composer update
Just instantiate the class and you will be ready to go. You will also find an sample usage in the example directory.
<?php
use Zoxta\Csrf;
# instantiate the class
$CsrfToken = new JwtCsrfToken();
# if a form is submitted (using POST)
if (! empty($_POST['_token'])) {
# check if CSRF is invalid
if ($CsrfToken->isInvalid()) {
# return an error if CSRF token is invalid/expired
echo '<h1>Invalid token, stop.</h1>';
} else {
echo '<h1>Valid token, process form.</h1>';
}
exit;
}You can also just use the isValid() method immediately without any other requirements.
if ($CsrfToken->isValid()) {
# process the form request
echo '<h1>Valid token, process form.</h1>';
exit;
}To echo the CSRFT token in your forms, you have two simple ways. You can either echo the token itself:
<input type="hidden" name="_token" value="<?= $CsrfToken ?>">Or you can echo the whole input field for simplicity using $CsrfToken->field() as the following:
<form action="" method="post">
<!-- form fields -->
<?= $CsrfToken->field() ?>
<input type="submit" value="Submit Form">
</form>- Ability to edit default JWT options.
- Ability to support sending tokens via GET requests or request header.