A simple PHP CSRF class that provides functionality for operating CSRF tokens.
You can install the Csrf class using Composer. Run the following command in your project's root directory:
composer require gokhankurtulus/csrf
To use the Csrf class in your PHP script, you need to include the Composer autoloader:
require_once 'vendor/autoload.php';
You can generate a new CSRF token using the newToken
method. The method accepts two parameters: the token name and an optional expiry time in seconds (default is 600 seconds = 10 minutes).
use Csrf\Csrf;
$token = Csrf::newToken('my_token', 1200); // Generate a token named 'my_token' that expires in 20 minutes
The newToken
method returns a stdClass
object containing the token information. The object has the following properties:
name
: The name of the token.expiry
: The expiry timestamp of the token.value
: The token value.
To retrieve a previously generated token, you can use the getToken
method. It accepts the token name as a parameter and returns the token object if found, or null
if the token does not exist.
$token = Csrf::getToken('my_token'); // Get the token object for 'my_token'
The createInput
method generates an HTML input field with the CSRF token embedded. It accepts the token name and an optional expiry time (default is 600 seconds or 10 minutes) as parameters. The
method returns the HTML input field as a string or null
if the session is not started or the token name is empty.
$input = Csrf::createInput('my_token', 1800); // Generate an HTML input field for 'my_token' that expires in 30 minutes
echo $input; // Output the HTML input field
The generated HTML input field can be used in forms to send the CSRF token value along with other form data.
To verify if a submitted token is valid, you can use the verify
method. It accepts the token name, an optional parameter to unset the token if it is verified (default is false
), and the token
value submitted with the request (can be retrieved from the $_POST
superglobal by default).
$isVerified = Csrf::verify('my_token', true); // Verify the submitted token for 'my_token' and unset it if verified
if ($isVerified) {
// Token is valid
} else {
// Token is invalid
}
The verify
method returns a boolean value indicating whether the token is valid or not.
To unset a token manually, you can use the unsetToken
method. It accepts the token name as a parameter and returns true
if the token is successfully unset or false
if the session is not started
or the token name is empty.
Csrf::unsetToken('my_token'); // Unset the token named 'my_token'
The Csrf class relies on PHP sessions to store and retrieve CSRF tokens. The isSessionStarted
method can be used to check if a session is already started.
$isSessionStarted = Csrf::isSessionStarted();
// Check if a session is started
if ($isSessionStarted) {
// Session is active
} else {
// Session is not active
}
Csrf is open-source software released under the MIT License. Feel free to modify and use it in your projects.
Contributions to Csrf are welcome! If you find any issues or have suggestions for improvements, please create an issue or submit a pull request on the GitHub repository.