There aren't any good session-powered CSRF prevention libraries. By good we mean:
- CSRF tokens can be restricted to any or all of the following:
- A particular session
- A particular HTTP URI
- A particular IP address (optional)
- Multiple CSRF tokens can be stored
- CSRF tokens expire after one use
- An upper limit on the number of tokens stored with session data is enforced
- In our implementation, the oldest are removed first
Warning - Do not use in any project where all $_SESSION
data is stored
client-side in a cookie. This will quickly run up the 4KB storage max for
an HTTP cookie.
See autoload.php
for an SPL autoloader.
First, add a filter like this one:
use \ParagonIE\AntiCSRF\AntiCSRF;
$twigEnv->addFunction(
new \Twig_SimpleFunction(
'form_token',
function($lock_to = null) {
static $csrf;
if ($csrf === null) {
$csrf = new AntiCSRF;
}
return $csrf->insertToken($lock_to, false);
},
['is_safe' => ['html']]
)
);
Next, call the newly created form_token function from your templates.
<form action="/addUser.php" method="post">
{{ form_token("/addUser.php") }}
{# ... the rest of your form here ... #}
</form>
$csrf = new \ParagonIE\AntiCSRF\AntiCSRF;
if (!empty($_POST)) {
if ($csrf->validateRequest()) {
// Valid
} else {
// Log a CSRF attack attempt
}
}