To increase security there should be additional checks for user agent and IP address. Doing so a token is linked to the current browser and IP address which makes it more difficult to fake it and to use it in other application.

However, I do not recommend to save those information in plain text but rather would like to see them hashed for privacy reasons.

Hello, how can i implement this CSFR-handler inside ajax requst ?

Currently i have MVC framework when load VIEW it generates token and when i want to edit it is working fine (first time because CSFR tokens are the same) but next time without refresh i get error - i understand where is the problem so if you can help ?

Thank you in advance...

If you want to avoid loading the page a bit long

In the CSRF file you can annotate the code below:

Its keeps your script from looking for nothing.

//if (phpversion() < 5.5)
{
$hashedToken = hash('sha256', base64_encode($keySet.$userAgent.$clientIp));
}
/*else
{
$hashedToken = base64_encode(password_hash(base64_encode($keySet.$userAgent.$clientIp), PASSWORD_BCRYPT));
}*/

Thanks

Possible to get this repository listed at https://packagist.org so we can install it via Composer?

Hello,
first want to thank you for your great CSRF handler...

I have problem with

Undefined index: X-CSRF-TOKEN-LIST in vendor/banujan6/csrf-handler/src/csrfhandler/csrf.php on line 71

• on that line is setToken function and if i putt

$_SESSION['X-CSRF-TOKEN-LIST'] = null;

There is no error,but $_SESSION['X-CSRF-TOKEN-LIST'] is different "shorter" - is this ok or ?

I was getting this error in my source code:
array_push() expects parameter 1 to be array, boolean given in csrf.php on line 61

Hi @banujan6 ,

I added it with Composer but I get an error. What could be the reason for this?

Error
Class 'csrf' not found

use csrfhandler\csrf as csrf;
	$isValidCSRF = csrf::all();

PHP 7.3
Thank you.

Hello, @banujan6 i have just seen your update but there is another problem, thing that you need patched

private static function startSession() { if(!isset($_SESSION["X-CSRF-TOKEN-LIST"]) && session_status() == PHP_SESSION_NONE){ session_start(); } $_SESSION["X-CSRF-TOKEN-LIST"] = null; // initializing the index }

If somebody has session class on there own, without this it will show "notice" that session already started - also i have moved your $_SESSION["X-CSRF-TOKEN-LIST"] out off IF loop :)

Originally posted by @onebeat in #7 (comment)

Is it necessary add self::removeToken() in checkToken()?
I submit form via ajax, the first time is true but false in second because token was removed.

Hi,

If I try this methos, I got token issue. Simple php->php page change is working.
This is my example code.

In index.php:

use csrfhandler\csrf as csrf;
$_token = csrf::token();

<script>
var token = '<?php echo $_token; ?>';
var chk = new Object();
chk._token = token;
$.post("_checkProduct.php", chk, function(chkProduct){
  alert(chkProduct.found);
}, "json");
</script>

In _checkProduct.php:

use csrfhandler\csrf as csrf;
$ret = array();
if (csrf::post()) {
  $ret["found"] = "token ok";
} else {
  $ret["found"] = "token issue!";
}
echo json_encode($ret);

If I load the index.php I got the "token issue!" alert box. Id don't know why, if I send back the token into alert() box, the 2 token is same.

Thx