DoubleSubmitCookieCsrfMiddleware implements MiddlewareInterface, LoggerAwareInterface
Double-Submit Cookie CSRF Middleware
A PSR-15-compatible Middleware for stateless Double-Submit-Cookie-based CSRF protection.
The $attribute property and first constructor argument sets the key by which the CSRF token
is referred to in all parameter sets (request attributes, request body parameters, cookies).
Generates a random token of length $tokenLength (default 128), and stores it as an attribute
on the ServerRequestInterface. It’s also added to the response as a cookie.
On requests which may modify state (methods other than HEAD, GET or OPTIONS), the request body
and request cookies are checked for matching CSRF tokens. If they match, the request is passed on
to the handler. If they do not match, further processing is halted and an error response generated
from the $errorResponse callback is returned. Refer to the constructor argument for information
about customising the error response.
Tags
Interfaces, Classes and Traits
- MiddlewareInterface
- LoggerAwareInterface
Table of Contents
- ATTRIBUTE = 'csrf'
- CSRF_TOKEN_LENGTH = 128
- DEFAULT_ERROR_RESPONSE_STRING = 'Invalid or missing CSRF token!'
- READ_METHODS = ['HEAD', 'GET', 'OPTIONS']
- TTL = 60 * 20
- $attribute : string
- $errorResponse : mixed
- $logger : LoggerInterface
- $tokenLength : int
- $ttl : int
- __construct() : mixed
- Constructor
- process() : ResponseInterface
- setLogger() : mixed
- isValid() : mixed
Constants
ATTRIBUTE
public
mixed
ATTRIBUTE
= 'csrf'
CSRF_TOKEN_LENGTH
public
mixed
CSRF_TOKEN_LENGTH
= 128
DEFAULT_ERROR_RESPONSE_STRING
public
mixed
DEFAULT_ERROR_RESPONSE_STRING
= 'Invalid or missing CSRF token!'
READ_METHODS
public
mixed
READ_METHODS
= ['HEAD', 'GET', 'OPTIONS']
TTL
public
mixed
TTL
= 60 * 20
Properties
$attribute
public
string
$attribute
$errorResponse
public
mixed
$errorResponse
$logger
public
LoggerInterface
$logger
$tokenLength
public
int
$tokenLength
$ttl
public
int
$ttl
Methods
__construct()
Constructor
public
__construct([string|null $attribute = self::ATTRIBUTE ][, int|null $ttl = self::TTL ][, mixed $errorResponse = self::DEFAULT_ERROR_RESPONSE_STRING ][, mixed $tokenLength = self::CSRF_TOKEN_LENGTH ][, mixed $logger = null ]) : mixed
The $errorResponse parameter can be used to customse the error response returned when a
write request has invalid CSRF parameters. It can take the following forms:
- A
string, which will be returned as-is with a 400 Status Code andContent-type: text/plainheader - An instance of
ResponseInterface, which will be returned as-is - A callable with the signature
function (ServerRequestInterface $request): ResponseInterface, the return value of which will be returned as-is.
Parameters
- $attribute : string|null = self::ATTRIBUTE
- $ttl : int|null = self::TTL
- $errorResponse : mixed = self::DEFAULT_ERROR_RESPONSE_STRING
- $tokenLength : mixed = self::CSRF_TOKEN_LENGTH
- $logger : mixed = null
Return values
mixed —process()
public
process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface
Parameters
- $request : ServerRequestInterface
- $handler : RequestHandlerInterface
Return values
ResponseInterface —setLogger()
public
setLogger(LoggerInterface $logger) : mixed
Parameters
- $logger : LoggerInterface
Return values
mixed —isValid()
protected
isValid(ServerRequestInterface $request) : mixed
Parameters
- $request : ServerRequestInterface