PHPackages kunststube/csrfp - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. kunststube/csrfp ActiveLibrary[Security](/categories/security) kunststube/csrfp ================ A signed token generator for cross site request forgery protection. 0.1(13y ago)52209.5k↓26.7%12[1 issues](https://github.com/deceze/Kunststube-CSRFP/issues)1PHPPHP >=5.3.0 Since Nov 13Pushed 8y ago5 watchersCompare [ Source](https://github.com/deceze/Kunststube-CSRFP)[ Packagist](https://packagist.org/packages/kunststube/csrfp)[ Docs](https://github.com/deceze/Kunststube-CSRFP)[ RSS](/packages/kunststube-csrfp/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependenciesVersions (2)Used By (1) Kunststube\\CSRFP - Cross Site Request Forgery Protection ========================================================= [](#kunststubecsrfp---cross-site-request-forgery-protection) This library is a simple signature generator to protect form submissions from cross site request forgery, using a signed token. It does not require server-side storage of valid tokens and is thereby stateless. Context ------- [](#context) Cross site request forgery can be subverted by including a token in each form which is hard to replicate by an attacker. Upon receiving a form submission, the token is checked for validity and the submitted data is deemed valid or invalid based on the validity of the token. One implementation of this idea is to generate a random value, store it server-side in the user's session and in a hidden field in the form, then upon form submission check if the submitted value is identical to the value stored in the session. This approach has the drawback of requiring server-side state and storage space. The implementation also becomes slightly more complex when wanting to allow the user to open several forms/tabs at once, possibly allowing several valid tokens to be in play at the same time. The Kunststube\\CSRFP library uses a signature approach. A randomly generated token is signed using a secret, which is statically stored on the server. The random token and its signed version are together embedded into the form as a signature. Upon receiving the form submission, the signature is generated again from the submitted token and the known secret and compared to the submitted signature. The signature should only be valid if the entity that generated it knows the secret, proving that the signed token originally came from the server itself. Simple usage ------------ [](#simple-usage) ```