Documentation CSRF Protector php library

csrfProtector Interface

Purpose:
This class contains all functions (static) needed to validate incoming requests and inject scripts to ongoing HTML output.
Uses/Interactions:
This class is invoked at the beginning of each php file, in which user expects to implement CSRF protection.
Dependencies:
The library requires a configuration file at a location relative to location of the library file. No other dependency!.

Note:All following methods will be static as we do not need to create an object of this class!

Variables

$cookieExpiryTime

public static $cookieExpiryTime

expiry time for cookie @var int

$isSameOrigin

private static $isSameOrigin

flag for cross origin/same origin request @var bool

$isValidHTML

private static $isValidHTML

flag to check if output file is a valid HTML or not @var bool

$requestType

protected static $requestType

Varaible to store weather request type is post or get @var string

$config

public static $config

config file for CSRFProtector @var int Array, length = 6

• Property: #1: failedAuthAction (int) => action to be taken in case autherisation fails
• Property: #2: logDirectory (string) => directory in which log will be saved
• Property: #3: customErrorMessage (string) => custom error message to be sent in case of failed authentication
• Property: #4: jsFile (string) => location of the CSRFProtector js file
• Property: #5: tokenLength (int) => default length of hash
• Property: #6: disabledJavascriptMessage (string) => error message if client’s js is disabled

Functions

init

public static function init( $length  =   null,

$action  =   null )

function to initialise the csrfProtector work flow

Parameters

$length length of CSRF_AUTH_TOKEN to be generated

$action int array, for different actions to be taken in case of failed validation

Returns

void

Throws

configFileNotFoundException when configuration file is not found

useCachedVersion

public static function useCachedVersion()

function to check weather to use cached version of js file or not

Parameters

void

Returns*

bool -- true if cacheversion can be used -- false otherwise

createNewJsCache

public static function createNewJsCache()

Function to create new cache version of js

Parameters

void

Returns

void

Throws

baseJSFileNotFoundException if baseJsFile is not found

authorisePost

public static function authorisePost()

function to authorise incoming post requests

Parameters

void

Returns

void

Throws

logDirectoryNotFoundException if log directory is not found

failedValidationAction

private static function failedValidationAction()

function to be called in case of failed validation performs logging and take appropriate action

Parameters

void

Returns

void

refreshToken

public static function refreshToken()

Function to set auth cookie

Parameters

void

Returns

void

generateAuthToken

public static function generateAuthToken()

function to generate random hash of length as given in parameter max length = 128

Parameters

length to hash required, int

Returns

string, token

ob_handler

public static function ob_handler( $buffer,

 $flags )

Rewrites <form> on the fly to add CSRF tokens to them.  This can also inject our JavaScript library.

Parameters

$buffer output buffer to which all output are stored

$flag INT

Return

string, complete output buffer

logCSRFattack

private static function logCSRFattack()

Function to log CSRF Attack

Parameters

void

Retruns

void

Throws

logFileWriteError if unable to log an attack

getCurrentUrl

private static function getCurrentUrl()

Function to return current url of executing page

Parameters

void

Returns

string current url

isURLallowed

public static function isURLallowed()

Function to check if a url mataches for any urls Listed in config file

Parameters

void

Returns

boolean true is url need no validation, false if validation needed