PHPackages pedroac/nonce - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. pedroac/nonce ActiveLibrary[Security](/categories/security) pedroac/nonce ============= A nonces manager usefull for preventing CSRF and replay attacks. 1.1.0(8y ago)42351[1 issues](https://github.com/pedroac/nonce4php/issues)MITPHPPHP >=7.1CI passing Since Mar 31Pushed 8y ago1 watchersCompare [ Source](https://github.com/pedroac/nonce4php)[ Packagist](https://packagist.org/packages/pedroac/nonce)[ Docs](https://github.com/pedroac/nonce4php)[ RSS](/packages/pedroac-nonce/feed)WikiDiscussions master Synced 4d ago READMEChangelogDependencies (8)Versions (5)Used By (0) pedroac/nonce for PHP ===================== [](#pedroacnonce-for-php) [![Build Status](https://camo.githubusercontent.com/09e8079d2c62a19a4b1a8ce10c37aa0743581af841a531c4c3520e6ec5d74569/68747470733a2f2f7472617669732d63692e6f72672f706564726f61632f6e6f6e6365347068702e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/pedroac/nonce4php)[![Codacy Badge](https://camo.githubusercontent.com/715cedb11046da67ea34c4e3e2d1a21d70a5436c1796cde98f2b586aa1bf3fb5/68747470733a2f2f6170692e636f646163792e636f6d2f70726f6a6563742f62616467652f47726164652f6430393962313134656634663464393962623166333961383036346161386334)](https://app.codacy.com/app/pedroac/nonce4php?utm_source=github.com&utm_medium=referral&utm_content=pedroac/nonce4php&utm_campaign=badger)[![Support via PayPal](https://camo.githubusercontent.com/604e3db9c8751116b3f765aad0353ec7ded655bbe8aaacbc38d8c4a6b784b3ed/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f446f6e6174652d50617950616c2d677265656e2e737667)](http://paypal.me/pedroac) A [nonce](https://www.computerhope.com/jargon/n/nonce.htm) manager PHP library useful for preventing [CSRF](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)) and [replay attacks](http://www.crypto-it.net/eng/attacks/replay.html). We may find several articles and videos explaining the vulnerabilities that nonces try to prevent: - [YouTube - Jmaxxz - CSRF Explained](https://www.youtube.com/watch?v=vrjgD0azkCw) - [YouTube - Professor Messer - Cross-site Request Forgery](https://www.youtube.com/watch?v=rbP2jwEDlBM) - [YouTube - Professor Messer - Replay Attacks](https://www.youtube.com/watch?v=jy8USm8pIYM) - [YouTube - Hak5 - How to Hack Wireless Remotes with Radio Replay Attacks](https://www.youtube.com/watch?v=F3bISk5t8cA) - [Coding Horror - Preventing CSRF and XSRF Attacks](https://blog.codinghorror.com/preventing-csrf-and-xsrf-attacks/) - [acunetix - CSRF Attacks, XSRF or Sea-Surf](https://www.acunetix.com/websitesecurity/csrf-attacks/) - [SitePoint - How to Prevent Replay Attacks on Your Website](https://www.sitepoint.com/how-to-prevent-replay-attacks-on-your-website/) It seems, though, that many PHP nonces libraries are too restrictive, coupled with some framework, hard to use or hard to understand how they work. `pedroac/nonce` tries to solve those issues. It allows choosing any [PSR-16](https://www.php-fig.org/psr/psr-16/) implementation to store temporarily the nonces, nonces values generators, expiration intervals and even a [`DateTime` provider](https://github.com/Kdyby/DateTimeProvider) to override the clock system (this feature is used for unit tests). It also provides helpers to manage input, generate random nonces names and values, verify submitted tokens against the nonce and generate HTML elements. Prerequisites ------------- [](#prerequisites) - PHP 7.1 or later: - Composer: - At least one PSR-16 implementation. Examples: - [symfony/cache](https://packagist.org/packages/symfony/cache) - [matthiasmullie/scrapbook](https://packagist.org/packages/matthiasmullie/scrapbook) Installing ---------- [](#installing) Run the command: `composer require pedroac/nonce` Usage ----- [](#usage) ### Examples [](#examples) - [Using Symfony ArrayCache](php/examples/manager.php) - [CLI test](php/examples/cli-manager-test.php) - [HTML form using a session](php/examples/phtml-manager-test.php) - [HTML form using an auto generated nonce name](php/examples/phtml-auto-nonce-name.php) - [HTML form using a helper](php/examples/phtml-easy-form.php) The HTML forms can be tested using a PHP built-in web server. From the `php/examples` folder run the command: ``` php -S localhost:8000 ``` Use the URL in a browser. ### HTML form with a token [](#html-form-with-a-token) 1. Create a nonce form helper: ```