CSRF
  • Namespace
  • Class
  • Tree

Namespaces

  • PHP
  • Riimu
    • Kit
      • CSRF
        • Source
        • Storage

Classes

  • CSRFHandler
  • NonceValidator
  • SingleToken

Exceptions

  • InvalidCSRFTokenException

Class CSRFHandler

Secure CSRF token validator and generator.

CSRFHandler provides a simple way to generate and validate CSRF tokens. Precautions have been taken to avoid timing and BREACH attacks. The tokens are generated using the SecureRandom library in order to generate secure random byte sequences.

Direct known subclasses

Riimu\Kit\CSRF\NonceValidator

Namespace: Riimu\Kit\CSRF
Copyright: Copyright (c) 2014, Riikka Kalliomäki
License: MIT License
Author: Riikka Kalliomäki riikka.kalliomaki@gmail.com
Located at CSRFHandler.php

Methods summary

public
# __construct( boolean $useCookies = true )

Creates a new instance of CSRFHandler.

Creates a new instance of CSRFHandler.

When creating a new instance, it will be initialized with either cookie storage or session storage depending on whether you pass true or false as the constructor parameter (defaults to cookie). The actual token won't be loaded until the token is validated, though. By default, the handler will also use post and header data to look for submitted tokens.

Parameters

$useCookies
True for cookie storage, false for session storage
public
# setGenerator( Riimu\Kit\SecureRandom\SecureRandom $generator )

Sets the random generator for generating secure random bytes.

Sets the random generator for generating secure random bytes.

Parameters

$generator
Secure random generator
public Riimu\Kit\SecureRandom\SecureRandom
# getGenerator( )

Returns the current secure random generator.

Returns the current secure random generator.

Returns

Riimu\Kit\SecureRandom\SecureRandom
Current secure random generator
public
# setStorage( Riimu\Kit\CSRF\Storage\TokenStorage $storage )

Sets the persistent storage for the CSRF token.

Sets the persistent storage for the CSRF token.

The token storage should be set before you create new tokens or attempt to validate tokens, because the storage is only used the first time the token is needed.

Parameters

$storage
Persistent storage handler
public
# setSources( array $sources )

Sets the possible sources for submitted token.

Sets the possible sources for submitted token.

Multiple sources can be added using an array. The handler will look for the token from the sources in the order they appear in the array.

Parameters

$sources
List of token sources.
public boolean
# isValidatedRequest( )

Tells if the request method indicates that the CSRF token should be validated.

Tells if the request method indicates that the CSRF token should be validated.

Returns

boolean
True if the token should be validated, false if not
public boolean
# validateRequest( boolean $throw = false )

Validates the csrf token in the HTTP request.

Validates the csrf token in the HTTP request.

This method should be called in the beginning of the request. By default, POST, PUT and DELETE requests will be validated for a valid CSRF token. If the request does not provide a valid CSRF token, this method will kill the script and send a HTTP 400 (bad request) response to the browser.

This method also accepts a single parameter than can be either true or false. If the parameter is set to true, this method will throw an InvalidCSRFTokenException instead of killing the script if no valid CSRF token was provided in the request.

This method will always trigger the token storage. If you are using the cookie storage, this method must be called before the headers have been sent. If you are using the session storage instead, you must start the session before calling this method.

Parameters

$throw
True to throw an exception on invalid token, false to kill the script

Returns

boolean
This method always returns true

Throws

Riimu\Kit\CSRF\InvalidCSRFTokenException
If throwing is enabled and there is no valid csrf token
Riimu\Kit\CSRF\Storage\TokenStorageException
If the secret token cannot be loaded or stored
protected
# killScript( )

Kills the script execution and sends the appropriate header.

Kills the script execution and sends the appropriate header.

Codecoverageignore

public boolean
# validateRequestToken( )

Validates the token sent in the request.

Validates the token sent in the request.

Returns

boolean
True if the token sent in the request is valid, false if not

Throws

Riimu\Kit\CSRF\Storage\TokenStorageException
If the secret token cannot be loaded or stored
public boolean
# validateToken( string $token )

Validates the csrf token.

Validates the csrf token.

The token must be provided as a base64 encoded string which also includes the token encryption key. In other words, you should pass this method the exact same string that has been returned by the getToken() method.

Parameters

$token
The base64 encoded token provided by getToken()

Returns

boolean
True if the token is valid, false if it is not

Throws

Riimu\Kit\CSRF\Storage\TokenStorageException
If the secret token cannot be loaded or stored
public string
# getToken( )

Generates a new secure base64 encoded csrf token.

Generates a new secure base64 encoded csrf token.

This method returns a new string every time it is called, because it always generates a new encryption key for the token. Of course, each of these tokens is a valid CSRF token, unless the regenerateToken() method is called.

Returns

string
Base64 encoded CSRF token

Throws

Riimu\Kit\CSRF\Storage\TokenStorageException
If the secret token cannot be loaded or stored
public Riimu\Kit\CSRF\CSRFHandler
# regenerateToken( )

Regenerates the actual CSRF token.

Regenerates the actual CSRF token.

After this method has been called, any token that has been previously generated by getToken() is no longer considered valid. It is highly recommended to regenerate the CSRF token after any user authentication.

Returns

Riimu\Kit\CSRF\CSRFHandler
Returns self for call chaining

Throws

Riimu\Kit\CSRF\Storage\TokenStorageException
If the secret token cannot be stored
public string
# getTrueToken( )

Returns the current actual CSRF token.

Returns the current actual CSRF token.

This returns the current actual 32 byte random string that is used to validate the CSRF tokens submitted in requests.

Returns

string
The current actual CSRF token

Throws

Riimu\Kit\CSRF\Storage\TokenStorageException
If the secret token cannot be loaded or stored
public string|false
# getRequestToken( )

Returns the token sent in the request.

Returns the token sent in the request.

Returns

string|false
The token sent in the request or false if there is none

Constants summary

integer TOKEN_LENGTH
# 32

Properties summary

protected string[] $validatedMethods

List of request methods to validate for the CSRF token

List of request methods to validate for the CSRF token

# ['POST', 'PUT', 'DELETE']
CSRF API documentation generated by ApiGen