0.1releasedXSRF/CSRF Protection
Validates all POST requests on backend were intentional and not part of a forged request.
Clone URLhttps://github.com/richadams/xsrf_protection.git
Add as a submodulegit submodule add https://github.com/richadams/xsrf_protection.git extensions/xsrf_protection --recursive
Compatibility
2.x.x | 2.1.x | 2.2.x | 2.3.x | 2.4.x | 2.5.x | 2.6.x | 2.7.0 | 2.7.1 | 2.7.2 | 2.7.3 | 2.7.4 | 2.7.5 | 2.7.6 | 2.7.7 | 2.7.8 | 2.7.9 | 2.7.10 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
No | No | No | 0.1 | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
Readme
XSRF/CSRF Protection
Version: 0.1
Author: Rich Adams (http://richadams.me)
Licensed under the GPL.
Overview
Protects the backend of Symphony CMS against cross-site request forgery.
What it does
- Adds a
xsrf
input to any form using the POST method with a one use token. - When the backend receives a POST request, the token is validated.
- If the token is incorrect, not provided, or has expired, then the request is rejected.
Requirements
Only tested in Symphony CMS 2.3
Installation
- Unzip the file.
- Put the xsrf_protection folder into your extension directory.
- Enable the same as any other extension.
Add the following to your configuration file,
"xsrf-protection" => array("token-lifetime" => "15 mins", // How long the tokens are valid for. "invalidate-tokens-on-request" => true), // If true, then tokens are invalidated on every request or after expiry time, whichever is first. If false, tokens only expire after the lifetime.
Configuration Options
- Token Lifetime - How long before a token expires and becomes invalid. Default is 15 minutes. Can specify any
strtotime()
recognised string. - Invalidate Tokens On Request - If set, this will invalidate any previous tokens on every request. If not set, then tokens will only be invalidated once their expiry time is reached. Most times you probably want this disabled, otherwise when a user goes back and submits something again, they'll get the XSRF error even if the token is still within it's lifetime.
Version history
Requires Symphony 2.3
- Initial release.