CSRF\TokenService [](https://travis-ci.org/schnittstabil/csrf-tokenservice) [](https://coveralls.io/github/schnittstabil/csrf-tokenservice?branch=master) [](https://scrutinizer-ci.com/g/schnittstabil/csrf-tokenservice/?branch=master) [](https://codeclimate.com/github/schnittstabil/csrf-tokenservice)

June 18, 2017 · View on GitHub

SensioLabsInsight

Stateless CSRF (Cross-Site Request Forgery) token service :meat_on_bone:

Install

$ composer require schnittstabil/csrf-tokenservice

Usage

<?php
require __DIR__.'/vendor/autoload.php';

use Schnittstabil\Csrf\TokenService\TokenService;

// Shared secret key used for generating and validating token signatures:
$key = 'This key is not so secret - change it!';

// Time to Live in seconds; default is 1440 seconds === 24 minutes:
$ttl = 1440;

// create the TokenService
$tokenService = new TokenService($key, $ttl);

// generate a URL-safe token, using the name of the authenticated user as nonce:
$token = $tokenService->generate($_SERVER['PHP_AUTH_USER']);

// validate the token - stateless; no session needed
if (!$tokenService->validate($_SERVER['PHP_AUTH_USER'], $token)) {
    http_response_code(403);
    echo '<h2>403 Access Forbidden, bad CSRF token</h2>';
    exit();
}

License

MIT © Michael Mayer