Fr3nch13/CakePHP Utilities

SessionCsrfProtectionMiddleware
in package
implements MiddlewareInterface

Provides CSRF protection via session based tokens.

This middleware adds a CSRF token to the session. Each request must contain a token in request data, or the X-CSRF-Token header on each PATCH, POST, PUT, or DELETE request. This follows a 'synchronizer token' pattern.

If the request data is missing or does not match the session data, an InvalidCsrfTokenException will be raised.

This middleware integrates with the FormHelper automatically and when used together your forms will have CSRF tokens automatically added when $this->Form->create(...) is used in a view.

If you use this middleware do not also use CsrfProtectionMiddleware.

Tags
see
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern

Table of Contents

Interfaces

MiddlewareInterface
Participant in processing a server request and response.

Constants

TOKEN_VALUE_LENGTH  = 32

Properties

$_config  : array<string, mixed>
Config for the CSRF handling.
$skipCheckCallback  : callable|null
Callback for deciding whether to skip the token check for particular request.

Methods

__construct()  : mixed
Constructor
createToken()  : string
Create a new token to be used for CSRF protection
process()  : ResponseInterface
Checks and sets the CSRF token depending on the HTTP verb.
saltToken()  : string
Apply entropy to a CSRF token
skipCheckCallback()  : $this
Set callback for allowing to skip token check for particular request.
unsaltToken()  : string
Remove the salt from a CSRF token.
unsetTokenField()  : ServerRequestInterface
Remove CSRF protection token from request data.
validateToken()  : void
Validate the request data against the cookie token.

Constants

Properties

$_config

Config for the CSRF handling.

protected array<string, mixed> $_config = ['key' => 'csrfToken', 'field' => '_csrfToken']
  • key The session key to use. Defaults to csrfToken
  • field The form field to check. Changing this will also require configuring FormHelper.

$skipCheckCallback

Callback for deciding whether to skip the token check for particular request.

protected callable|null $skipCheckCallback

CSRF protection token check will be skipped if the callback returns true.

Methods

__construct()

Constructor

public __construct([array<string, mixed> $config = [] ]) : mixed
Parameters
$config : array<string, mixed> = []

Config options. See $_config for valid keys.

createToken()

Create a new token to be used for CSRF protection

public createToken() : string

This token is a simple unique random value as the compare value is stored in the session where it cannot be tampered with.

Return values
string

saltToken()

Apply entropy to a CSRF token

public saltToken(string $token) : string

To avoid BREACH apply a random salt value to a token When the token is compared to the session the token needs to be unsalted.

Parameters
$token : string

The token to salt.

Return values
string

The salted token with the salt appended.

skipCheckCallback()

Set callback for allowing to skip token check for particular request.

public skipCheckCallback(callable $callback) : $this

The callback will receive request instance as argument and must return true if you want to skip token check for the current request.

Parameters
$callback : callable

A callable.

Return values
$this

unsaltToken()

Remove the salt from a CSRF token.

protected unsaltToken(string $token) : string

If the token is not TOKEN_VALUE_LENGTH * 2 it is an old unsalted value that is supported for backwards compatibility.

Parameters
$token : string

The token that could be salty.

Return values
string

An unsalted token.


        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results