zakirullin/csrf-middleware

A PSR-15 middleware to automate CSRF-token verification process

Requirements

• PHP >= 7.1
• A PSR-7 http message implementation (Diactoros, Guzzle, Slim, etc...)
• A PSR-15 middleware dispatcher

Installation

This package is installable and autoloadable via Composer as zakirullin/csrf-middleware.

composer require zakirullin/csrf-middleware 

PHP

$getIdentity = function (\Psr\Http\Message\ServerRequestInterface $request) {
    $session = $request->getAttribute('session');
    return $session->get('id');
};

$dispatcher = new Dispatcher([
    ...
    new \Zakirullin\Middlewares\CSRF($getIdentity, 'secret'),
    ...
]);

HTML

<form method="POST" action="/dangerous/action">
    ...
    <input type="hidden" name="csrf" value="<?= $request->getAttribute('csrf') ?>">
    ...
</form>

Options

__construct(
    callable $getIdentity,
    string $secret,
    string $attribute = self::ATTRIBUTE,
    int $ttl = self::TTL,
    string $algorithm = self::ALGORITHM
)

$getIdentity(ServerRequestInterface $request)

A callback that should return a string containing some per-user unique identity. For example - session id.

---

The MIT License (MIT). Please see LICENSE for more information.