PHP Classes

PHP CSRF Protection class: Prevent CSRF request security attacks

Recommend this page to a friend!
Stumble It! Stumble It! Bookmark in Bookmark in
  Info   View files View files (8)   DownloadInstall with Composer Download .zip   Reputation   Support forum   Blog    
Last Updated Ratings Unique User Downloads Download Rankings  
2013-09-19 (2 years ago) RSS 2.0 feedNot yet rated by the usersTotal: 709 This week: 2All time: 4,377 This week: 676Up
Version License PHP version Categories  
csrf-protector 1BSD License5.4HTML, PHP 5, Security
Description Author  

This package can be used to prevent CSRF request security attacks.

It can register a PHP shutdown function that will capture the current page output so it can be captured to be processed by the class.

It can parse the HTML of the captured page and replace the URLs of the links and forms to add a token that can be verified later to prevent Cross-Site Request Forgery attacks by validating the token.

Picture of jstar88
  Performance   Level  
Name: jstar88 <contact>
Classes: 6 packages by
Country: Italy Italy
Age: ???
All time rank: 144358 in Italy Italy
Week rank: 638 Up33 in Italy Italy Up
Innovation award
Innovation award
Nominee: 2x


Protect against CSRF attack.              **PHP >= 5.4**

## Introduction
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.   
Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.   
This class can be usefull to also avoid some sort of javascript scripts that attemps a human simulation or a DOS attack.  

## Why I should use this class?
Most of others PHP scripts require that you manually edit link and form one by one.  
In medium and big size application, this is not only stressful but also dangerous because as human you can do mistakes.  
**CSRFProtector**, instead, do the job automatically!  

Just before the end of the scripts, it search in the output buffered each links and forms. Then, they are modified adding a speacial randomic token:
tokens are then saved in sessions to create a white list.  
When a web request come to your server, CSFRProtector check if the associated token is in the permitted list: if yes then the script can continue, otherwise a error is shown.  
Not only: it also add a flag in session with the end time of script execution and you can choose when the next request is accepted.  

So sum up:

* CSRF protection
* Bot scripts protection
* Race conditions
* No cookie or database used

To do:

* Enable ajax
* Enable javascript redirect

## Installation
First off all, download and unzip all the contents in a folder in your server. Let's suppose is *libs*.   
At the begin of your main script, add this code

require ("libs/CSRFProtector-master/CSRFProtector.php");
$jsPath = "CSRFProtector"; // path where is native.history.js
$csrf = new CSRFProtector($jsPath);

That is all! Anyway it's more powerfull than what might seem.  

#### Advanced configurations

The construct can take three optional arguments:

1. A string path where is located native.history.js (browser will search for {yourpath}/native.history.js)
2. A [callable]( function that will be called when CSRF attack are discovered (standard action is to end the script and display "CSFR protection")
3. A [callable]( function that generate the token(by default is a composition of 3 randomic value)
4. The maximum life time of tokens in seconds(default is 120 seconds)
5. The minimum time requested between the current script end time and the next request(default is 1 second) 


$error = function(){
  die("Nice try dude");  

$token = function(){
    return "_".mt_rand(1,200).md5(mt_rand(2,100));

$time = 30; //in seconds
$min = 0; // in seconds
$jsPath = "CSRFProtector"; // path where is native.history.js

$csrf = new CSRFProtector($jsPath,$error,$token,$time,$min);


It's also possible to manually protect GET and POST data using fews function:

$auto = false;
$jsPath = "CSRFProtector";
$csrf = new CSRFProtector($jsPath);

    <a href="<?php echo $csrf->protectUrl("index.php"); ?>">a link</a>
    <form action="form.php" method="post">
      <?php echo $csrf->getFormHiddenComponent(); ?>

  Files folder image Files  
File Role Description
Files folder imagecore (3 files)
Files folder imageexamples (1 file)
Plain text file CSRFProtector.php Class Class source
Accessible without login Plain text file native.history.js Data Auxiliary data
Accessible without login HTML file readme.html Doc. Documentation
Accessible without login Plain text file Doc. Documentation

  Files folder image Files  /  core  
File Role Description
  Plain text file CSRFBackEnd.php Class Class source
  Plain text file CSRFFrontEnd.php Class Class source
  Plain text file TokenManager.php Class Class source

  Files folder image Files  /  examples  
File Role Description
  Accessible without login Plain text file Sample.php Example Example script

 Version Control Unique User Downloads Download Rankings  
 87%Total:709All time:4,377
 This week:2This week:676Up