PHPackages ayesh/stateless-csrf - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. ayesh/stateless-csrf ActiveLibrary[Security](/categories/security) ayesh/stateless-csrf ==================== Secret-key based state-less CSRF token generator and validator for PHP 8. State-less means you do not have to store the CSRF token in session or database. v1.4.1(2y ago)3223.3k—0%6[1 issues](https://github.com/Ayesh/StatelessCSRF/issues)MITPHPPHP ^8.3 Since May 5Pushed 2y ago4 watchersCompare [ Source](https://github.com/Ayesh/StatelessCSRF)[ Packagist](https://packagist.org/packages/ayesh/stateless-csrf)[ RSS](/packages/ayesh-stateless-csrf/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependencies (1)Versions (12)Used By (0) Stateless CSRF - Secret-key based Cross-Site-Request Forgery Protection tokens ============================================================================== [](#stateless-csrf---secret-key-based-cross-site-request-forgery-protection-tokens) [![Packagist](https://camo.githubusercontent.com/9088774545cfe9d629ee5764320fad4b43491fa9c289e530144aaba2f3e41fed/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f61796573682f73746174656c6573732d637372662e737667)](https://packagist.org/packages/ayesh/stateless-csrf) [![license](https://camo.githubusercontent.com/92b3b8836207aed90da680fd1d768eaead7d14571936d6d64fbd1ec44b02fce5/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f41796573682f53746174656c657373435352462e737667)](https://github.com/Ayesh/StatelessCSRF) [![CI](https://github.com/Ayesh/StatelessCSRF/workflows/CI/badge.svg)](https://github.com/Ayesh/StatelessCSRF/workflows/CI/badge.svg) `ayesh/stateless-csrf` is PHP library that generates and validates stateless CSRF-protection tokens. This means the generated tokens are not stored in a database or disk on the server. Instead, a combination of a secret key (that only the server knows) and clues to identify a browser are used. Because we do not store the generated tokens, this library does *not* provide protection against replay attacks. Requirements ------------ [](#requirements) - PHP 7.4 or later. - PHP built-in extensions: Hash and JSON (available unless PHP is compiled manually without these extensions). Features -------- [](#features) - Generate a secure token using SHA-256 HMAC. - Optionally set an expiration time to tokens. - Generated tokens are URL-safe. - Optimized to be used with an Inversion of Control container. - Token validation is time-attack safe. Installation ------------ [](#installation) Copy-pasta the following in your terminal: ``` composer require ayesh/stateless-csrf ``` Examples -------- [](#examples) #### Simple Example without variables [](#simple-example-without-variables) Before the library can generate tokens, it must be fed with a secret key. This key can be a string of any length, and is used as the key in HMAC operations. ```