PHPackages                             resonantcore/anti-csrf - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. resonantcore/anti-csrf

Abandoned → [paragonie/anti-csrf](/?search=paragonie%2Fanti-csrf)Library[Security](/categories/security)

resonantcore/anti-csrf
======================

Paragon Initiative's Anti-CSRF Security Library

v2.3.0(5y ago)2691252[13 issues](https://github.com/resonantcore/anti-csrf/issues)[3 PRs](https://github.com/resonantcore/anti-csrf/pulls)(MIT or AGPL-3.0)PHPPHP ^7|^8CI failing

Since Jul 28Pushed 1y ago17 watchersCompare

[ Source](https://github.com/resonantcore/anti-csrf)[ Packagist](https://packagist.org/packages/resonantcore/anti-csrf)[ RSS](/packages/resonantcore-anti-csrf/feed)WikiDiscussions master Synced 1mo ago

READMEChangelog (10)Dependencies (3)Versions (14)Used By (0)

Anti-CSRF Library
=================

[](#anti-csrf-library)

[![Build Status](https://github.com/paragonie/anti-csrf/actions/workflows/ci.yml/badge.svg)](https://github.com/paragonie/anti-csrf/actions)[![Latest Stable Version](https://camo.githubusercontent.com/646f8715fd74b7a46e0e07bb8fae1f1a44c539d44bf28ae376e96e281648ab45/68747470733a2f2f706f7365722e707567782e6f72672f70617261676f6e69652f616e74692d637372662f762f737461626c65)](https://packagist.org/packages/paragonie/anti-csrf)[![Latest Unstable Version](https://camo.githubusercontent.com/681c2caf2866239bf0fc884b48938ad86603fc37c1ee78655b3935fac6f1ebcf/68747470733a2f2f706f7365722e707567782e6f72672f70617261676f6e69652f616e74692d637372662f762f756e737461626c65)](https://packagist.org/packages/paragonie/anti-csrf)[![License](https://camo.githubusercontent.com/7bfa3fd874bfb5cf33a94c3ced6cf0f46ec39415fad222d9a52d15421080312e/68747470733a2f2f706f7365722e707567782e6f72672f70617261676f6e69652f616e74692d637372662f6c6963656e7365)](https://packagist.org/packages/paragonie/anti-csrf)[![Downloads](https://camo.githubusercontent.com/8eaf74bf318dd566c07d6c152b15c1a3719be189e6bd06cbf7443965a76ef22f/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f70617261676f6e69652f616e74692d637372662e737667)](https://packagist.org/packages/paragonie/anti-csrf)

Motivation
----------

[](#motivation)

There aren't any good session-powered CSRF prevention libraries. By good we mean:

- CSRF tokens can be restricted to any or all of the following:
    - A particular session
    - A particular HTTP URI
    - A particular IP address (optional)
- Multiple CSRF tokens can be stored
- CSRF tokens expire after one use
- An upper limit on the number of tokens stored with session data is enforced
    - In our implementation, the oldest are removed first

**Warning** - Do not use in any project where all `$_SESSION` data is stored client-side in a cookie. This will quickly run up the 4KB storage max for an HTTP cookie.

Using it in Any Project
-----------------------

[](#using-it-in-any-project)

See `autoload.php` for an SPL autoloader.

Using it with Twig templates
----------------------------

[](#using-it-with-twig-templates)

First, add a filter like this one:

```
use \ParagonIE\AntiCSRF\AntiCSRF;
$twigEnv->addFunction(
    new \Twig\TwigFunction(
        'form_token',
        function($lock_to = null) {
            static $csrf;
            if ($csrf === null) {
                $csrf = new AntiCSRF;
            }
            return $csrf->insertToken($lock_to, false);
        },
        ['is_safe' => ['html']]
    )
);
```

Next, call the newly created form\_token function from your templates.

```

    {{ form_token("/addUser.php") }}

    {# ... the rest of your form here ... #}

```

Validating a Request
--------------------

[](#validating-a-request)

```
    $csrf = new \ParagonIE\AntiCSRF\AntiCSRF;
    if (!empty($_POST)) {
        if ($csrf->validateRequest()) {
            // Valid
        } else {
            // Log a CSRF attack attempt
        }
    }
```

Support Contracts
-----------------

[](#support-contracts)

If your company uses this library in their products or services, you may be interested in [purchasing a support contract from Paragon Initiative Enterprises](https://paragonie.com/enterprise).

###  Health Score

40

—

FairBetter than 87% of packages

Maintenance28

Infrequent updates — may be unmaintained

Popularity26

Limited adoption so far

Community28

Small or concentrated contributor base

Maturity70

Established project with proven stability

 Bus Factor2

2 contributors hold 50%+ of commits

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~163 days

Recently: every ~257 days

Total

13

Last Release

1983d ago

Major Versions

0.9.3 → v1.0.02016-04-23

v1.0.0 → v2.0.02016-04-23

v1.0.1 → v2.2.12019-01-03

PHP version history (4 changes)0.9.2PHP ^5.6|^7.0

v2.0.0PHP ^7.0

v2.1.0PHP ^7

v2.3.0PHP ^7|^8

### Community

Maintainers

![](https://www.gravatar.com/avatar/96e6c9876df5fa370d1df244af836ea51c12c675b32dfcd645502fc385e322d9?d=identicon)[resonantcore](/maintainers/resonantcore)

---

Top Contributors

[![paragonie-scott](https://avatars.githubusercontent.com/u/11591518?v=4)](https://github.com/paragonie-scott "paragonie-scott (39 commits)")[![paragonie-security](https://avatars.githubusercontent.com/u/15914520?v=4)](https://github.com/paragonie-security "paragonie-security (35 commits)")[![sarciszewski](https://avatars.githubusercontent.com/u/3710836?v=4)](https://github.com/sarciszewski "sarciszewski (16 commits)")[![glensc](https://avatars.githubusercontent.com/u/199095?v=4)](https://github.com/glensc "glensc (8 commits)")[![oscarotero](https://avatars.githubusercontent.com/u/377873?v=4)](https://github.com/oscarotero "oscarotero (5 commits)")[![jeijei4](https://avatars.githubusercontent.com/u/21228328?v=4)](https://github.com/jeijei4 "jeijei4 (3 commits)")[![Kekos](https://avatars.githubusercontent.com/u/914782?v=4)](https://github.com/Kekos "Kekos (3 commits)")[![nochso](https://avatars.githubusercontent.com/u/6887618?v=4)](https://github.com/nochso "nochso (3 commits)")[![mattleff](https://avatars.githubusercontent.com/u/120155?v=4)](https://github.com/mattleff "mattleff (2 commits)")[![tecome](https://avatars.githubusercontent.com/u/67866241?v=4)](https://github.com/tecome "tecome (1 commits)")[![enfoqueNativo](https://avatars.githubusercontent.com/u/12297079?v=4)](https://github.com/enfoqueNativo "enfoqueNativo (1 commits)")[![jdreesen](https://avatars.githubusercontent.com/u/424602?v=4)](https://github.com/jdreesen "jdreesen (1 commits)")[![manofstrong](https://avatars.githubusercontent.com/u/55279335?v=4)](https://github.com/manofstrong "manofstrong (1 commits)")[![Nenglish7](https://avatars.githubusercontent.com/u/30304307?v=4)](https://github.com/Nenglish7 "Nenglish7 (1 commits)")[![prisis](https://avatars.githubusercontent.com/u/2716058?v=4)](https://github.com/prisis "prisis (1 commits)")[![sanmai](https://avatars.githubusercontent.com/u/139488?v=4)](https://github.com/sanmai "sanmai (1 commits)")[![antonyakushin](https://avatars.githubusercontent.com/u/2893285?v=4)](https://github.com/antonyakushin "antonyakushin (1 commits)")

---

Tags

securitysessioncsrfappsec

###  Code Quality

TestsPHPUnit

Static AnalysisPsalm

Type Coverage Yes

### Embed Badge

![Health badge](/badges/resonantcore-anti-csrf/health.svg)

```
[![Health](https://phpackages.com/badges/resonantcore-anti-csrf/health.svg)](https://phpackages.com/packages/resonantcore-anti-csrf)
```

###  Alternatives

[phpseclib/phpseclib

PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc.

5.6k434.8M1.3k](/packages/phpseclib-phpseclib)[paragonie/anti-csrf

Paragon Initiative's Anti-CSRF Security Library

307200.6k5](/packages/paragonie-anti-csrf)[aura/session

Provides session management functionality, including lazy session starting, session segments, next-request-only ("flash") values, and CSRF tools.

2041.2M67](/packages/aura-session)[owasp/csrf-protector-php

CSRF protector php, a standalone php library for csrf mitigation in web applications. Easy to integrate in any php web app.

222348.3k4](/packages/owasp-csrf-protector-php)[riimu/kit-csrf

Secure and simple CSRF library protected against timing and BREACH attacks

6526.1k](/packages/riimu-kit-csrf)[ayesh/stateless-csrf

Secret-key based state-less CSRF token generator and validator for PHP 8. State-less means you do not have to store the CSRF token in session or database.

3223.3k](/packages/ayesh-stateless-csrf)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)