banujan6 / csrf-handler Goto Github PK
View Code? Open in Web Editor NEWA simple CSRF Token protection library for PHP. I t will help you to generate the random unique token and validate it to prevent CSRF attack.
License: MIT License
A simple CSRF Token protection library for PHP. I t will help you to generate the random unique token and validate it to prevent CSRF attack.
License: MIT License
Hello, @banujan6 i have just seen your update but there is another problem, thing that you need patched
private static function startSession() { if(!isset($_SESSION["X-CSRF-TOKEN-LIST"]) && session_status() == PHP_SESSION_NONE){ session_start(); } $_SESSION["X-CSRF-TOKEN-LIST"] = null; // initializing the index }
If somebody has session class on there own, without this it will show "notice" that session already started - also i have moved your $_SESSION["X-CSRF-TOKEN-LIST"] out off IF loop :)
Originally posted by @onebeat in #7 (comment)
Hi @banujan6 ,
I added it with Composer but I get an error. What could be the reason for this?
Error
Class 'csrf' not found
use csrfhandler\csrf as csrf;
$isValidCSRF = csrf::all();
PHP 7.3
Thank you.
If you want to avoid loading the page a bit long
In the CSRF file you can annotate the code below:
Its keeps your script from looking for nothing.
//if (phpversion() < 5.5)
{
$hashedToken = hash('sha256', base64_encode($keySet.$userAgent.$clientIp));
}
/*else
{
$hashedToken = base64_encode(password_hash(base64_encode($keySet.$userAgent.$clientIp), PASSWORD_BCRYPT));
}*/
Thanks
Possible to get this repository listed at https://packagist.org so we can install it via Composer?
Is it necessary add self::removeToken() in checkToken()?
I submit form via ajax, the first time is true but false in second because token was removed.
I was getting this error in my source code:
array_push() expects parameter 1 to be array, boolean given in csrf.php on line 61
I changed:
$tokenList = unserialize($_SESSION['X-CSRF-TOKEN-LIST']);
To this:
$tokenList[] = unserialize($_SESSION['X-CSRF-TOKEN-LIST']);
And the error went away.
Hello, how can i implement this CSFR-handler inside ajax requst ?
Currently i have MVC framework when load VIEW it generates token and when i want to edit it is working fine (first time because CSFR tokens are the same) but next time without refresh i get error - i understand where is the problem so if you can help ?
Thank you in advance...
Hello,
first want to thank you for your great CSRF handler...
I have problem with
Undefined index: X-CSRF-TOKEN-LIST in vendor/banujan6/csrf-handler/src/csrfhandler/csrf.php on line 71
$_SESSION['X-CSRF-TOKEN-LIST'] = null;
There is no error,but $_SESSION['X-CSRF-TOKEN-LIST'] is different "shorter" - is this ok or ?
To increase security there should be additional checks for user agent and IP address. Doing so a token is linked to the current browser and IP address which makes it more difficult to fake it and to use it in other application.
However, I do not recommend to save those information in plain text but rather would like to see them hashed for privacy reasons.
Hi,
If I try this methos, I got token issue. Simple php->php page change is working.
This is my example code.
In index.php:
use csrfhandler\csrf as csrf;
$_token = csrf::token();
<script>
var token = '<?php echo $_token; ?>';
var chk = new Object();
chk._token = token;
$.post("_checkProduct.php", chk, function(chkProduct){
alert(chkProduct.found);
}, "json");
</script>
In _checkProduct.php:
use csrfhandler\csrf as csrf;
$ret = array();
if (csrf::post()) {
$ret["found"] = "token ok";
} else {
$ret["found"] = "token issue!";
}
echo json_encode($ret);
If I load the index.php I got the "token issue!" alert box. Id don't know why, if I send back the token into alert() box, the 2 token is same.
Thx
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.