spencer14420/sp-anti-csrf

Can be used to generate and validate anti-CSRF tokens

Maintainers

👁 Spencer14420

Package info

github.com/Spencer14420/SPAntiCSRF

pkg:composer/spencer14420/sp-anti-csrf

Statistics

Installs: 612

Dependents: 1

Suggesters: 0

Stars: 0

Open Issues: 0

1.0.0-beta1 2024-11-28 21:53 UTC

Requires

None

Requires (Dev)

None

Suggests

None

Provides

None

Conflicts

None

Replaces

None

MIT e109cdd671257b1dcdecc09eaf37cb6dbd4ce5b6

  • spencer14420

This package is auto-updated.

Last update: 2026-05-29 02:06:12 UTC

README

SPAntiCSRF is a lightweight PHP package that secures web applications against CSRF attacks using token-based validation.

Features

  • Session-based CSRF token management: Tokens are stored securely in PHP sessions.
  • Token expiration: Tokens expire after a configurable duration for enhanced security.
  • Validation and replay protection: Ensures tokens are valid and prevents token reuse.
  • Session regeneration: Provides a method to regenerate session IDs, helping to mitigate session fixation attacks when used appropriately.
  • One-time token usage: Tokens are invalidated after successful validation to prevent reuse.

Installation

You can install SPAntiCSRF using Composer:

composer require spencer14420/sp-anti-csrf

Usage

Generate a CSRF Token

Generate a token when rendering forms or making requests that require CSRF protection:

use spencer14420\SpAntiCsrf\AntiCsrf;

$csrf = new AntiCsrf();
$token = $csrf->generateToken();

Use the token in your HTML form:

<input
 type="hidden"
 id="csrf_token"
 name="csrf_token"
 value="<?php echo $token ?>"
/>

Validate the Token

Validate the token on the server side when processing the form submission:

use spencer14420\SpAntiCsrf\AntiCsrf;

$csrf = new AntiCsrf();

try {
 $token = $_POST['csrf_token'] ?? '';
 if (!$csrf->tokenIsValid($token)) {
 throw new Exception('Invalid CSRF token.');
 }
 // Proceed with processing the form
} catch (Exception $e) {
 // Handle invalid or expired token
 echo 'Error: ' . $e->getMessage();
}

Regenerate the Session

For added security, you can regenerate the session ID periodically or after certain actions:

$csrf->regenerateSession();
  • Consider calling regenerateSession() after sensitive actions like user login, logout, or privilege escalation to protect against session fixation attacks.

API Reference

generateToken(int $expirySeconds = 3600): string

Generates a new CSRF token, and stores it in a session variable with an expiry time (default: 1 hour).

  • Parameters:
    • $expirySeconds: The token's lifetime in seconds.
  • Returns: The generated token as a string.
tokenIsValid(string $tokenToCheck): bool

Validates a CSRF token.

  • Parameters
    • $tokenToCheck: The token to validate.
  • Returns: true if the token is valid and has not expired; false otherwise.
regenerateSession(): void

Regenerates the PHP session ID to mitigate session fixation attacks.

tokenIsNotExpired(): bool

Checks if the stored token has expired.

  • Returns: true if the token has not expired; false otherwise.