-
-
Notifications
You must be signed in to change notification settings - Fork 8
API reference
This page summarises the public API in phpgt/csrf.
The package now uses the GT\Csrf namespace prefix.
For backwards compatibility, Composer autoloading in this repository also accepts the legacy Gt\Csrf prefix.
Abstract base class for token generation and verification flow.
Generated tokens are returned as prefixed ULIDs beginning with CSRF_.
The configured token length refers to the ULID portion only, so the full string length is the configured length plus the prefix length.
__construct(?int $maxTokens = null)getMaxTokens(): intsetTokenLength(int $newTokenLength): voidgenerateNewToken(): stringverify(array|object $postData): voidsaveToken(string $token): voidconsumeToken(string $token): voidverifyToken(string $token): void
In-memory implementation of TokenStore.
- inherits the constructor from
TokenStore saveToken(string $token): voidconsumeToken(string $token): voidverifyToken(string $token): void
Session-backed implementation of TokenStore.
SESSION_KEY = "tokenList"
__construct(Gt\Session\SessionContainer $session, ?int $maxTokens = null)saveToken(string $token): voidconsumeToken(string $token): voidverifyToken(string $token): void
Injects tokens into HTML documents.
ONE_TOKEN_PER_PAGE = "PAGE"ONE_TOKEN_PER_FORM = "FORM"TOKEN_NAME = "csrf-token"
__construct(string|GT\Dom\HTMLDocument $document, TokenStore $tokenStore)protect(string $tokenSharing = self::ONE_TOKEN_PER_PAGE): stringgetHTMLDocument(): GT\Dom\HTMLDocument
Base exception for all CSRF verification failures.
Thrown when submitted data contains no CSRF token.
Thrown when the submitted token does not exist in the store.
Thrown when the submitted token exists but has already been used.
This package depends on:
-
phpgt/domforGT\Dom\HTMLDocument -
phpgt/sessionfor the built-in session-backed token store