This file contains the CsrfToken class that handles genration and checking of Synchronization tokens.
In future more features will be incorporated into this kit, but the CsrfToken class is the most important part of the puzzle.
This kit was written for PHP version 5.3 and upwards. It has not been, and will
not be tested on any previous version of PHP. I believe the code would work
provided you remove the namespace line from CsrfToken.php (or any other
piece of code that you may find in this package), and use CsrfToken without the
namespaces.
If you feel support for pre-5.3 version is important to you, please test CsrfToken as is in your code, and then try removing the namespace. I'm not sure how it's supposed to work, so I'd appreciate a bug report on that.
The basic usage involves initializing an instance at some point, calling either the getHiddenField() or generateToken() methods. The former produces an XHTML-compliant input element, whereas the latter produces a raw Base64-encoded string. In another request, the request can be tested for authenticity (to the best of this script's author's knowledge) by calling the checkToken() method.
The generateHiddenField() and generateToken() create a $_SESSION['csrf'] array, which contains the material for token creation. This data is preserved so that the token can be checked later.
Copyright (c)2010 by Branko Vukelic. All rights reserved.
This program is free software: you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation, either version 3 of the License, or (at your option) any later
version. (See LICENSE file for the exact text of the GPL license.)
At your option, you may redistribute and/or modify this program under the terms
of GNU Lesser General Public License as published by the Free Software
Foundation, either version 3 of the License, or (at your option) any later
version. (See LGPL file for the exact text of LGPL license.)
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.
This script has not been widely tested (actually, it's been only tested on a local host), so I do not recommend using it without sufficient testing. That said, I do think it will work as expected.
- Write unit tests for the CsrfToken class.
- Implement a helper function or class for checking the HTTP Referrer header.