PHP Classes

File: Csrf.php

Recommend this page to a friend!
  Classes of mohammad anzawi   PHP CSRF Token Library   Csrf.php   Download  
File: Csrf.php
Role: Class source
Content type: text/plain
Description: Class source
Class: PHP CSRF Token Library
Generate and validate tokens to avoid CSRF attacks
Author: By
Last change:
Date: 2 years ago
Size: 5,218 bytes



Class file image Download

## Author : Mohammad Anzawi from ##
## License : MIT ##
## ##
## see all my free and open source php libraries and classes on github: ##
## ##
## ##
## visit my blog -> ##
## ##
## Please Dont Remove this comment block. ##
## ##
class Csrf

// the session and field name
private $_tokenName = "_token";

// we dont need a doblucate object just one - instanse -
private static $__obj = null;

    private function
// check if session is not started , start session
if (session_id() == '') {

// generate token

// initilize the class
public static function init()
// check if object already created ro not
if (!isset(self::$__obj) || is_null(self::$__obj)) {
self::$__obj = new Csrf(); // create new object


      * check if token (CSRF) generated or not
      * precautionary measure because we generated in __construct function
private function checkIfTokenIsGenerated()
        return isset(

      * generate token value
public function generate()
// check if token has been generated - if not generate a new one.
        // otherwise return old token
        // to allow multi forms in same page
        // if we dont do that , only last form can be passed from token check.
if (!$this->checkIfTokenIsGenerated())
$_SESSION[$this->_tokenName] = sha1(uniqid() . rand() * time());


      * get token value
public function getToken()
// check if its not generated , if not generate a new one


      * this method to check if submited token is valid or not.
      * its accept (optional) paramener, this parameter -> value of submited token
      * if you dont sent the value, we get submited token value if its exist.
public function checkToken($value = '')
// check if value paramenter is not send
        // and token value is not submited or token is not generated
        // return bool(false)
if(!$value && !$this->submitedToken() || !$this->checkIfTokenIsGenerated())

// if token value not sent so the value is the submited value
$value = $value ? $value : $_POST[$this->_tokenName];
// (bool) if token submited value is equal token in session so true otherwise false
$valid = $value === $_SESSION[$this->_tokenName];

// delete (remove, destroy, unset) current token value from session
// return (bool)
return $valid;

// this method if we want to kill page if token is not match our session

How to Use :::::

 // evrything is OK , process last action
    // the token is not match , something wrong - CSRF Attack

OR ----

 // evrything is OK , process last action
 // because if anything is wrong the page was killed from ValidOrDie() method

public function ValidOrDie()
$this->checkToken()) die("Oops, invalid server request . the CSRF not Matched our storage");

// auto generate input field from form in html page
public function csrfField()
"<input type='hidden' name='" . $this->_tokenName . "' value='" . $this->getToken() . "'>";

// delete token session
public function destroy()

// here we just check if token value is submited ($_GET or $_POST only)
private function submitedToken()
$token = false;

$token = $_POST[$this->_tokenName];
$token = $_GET[$this->_tokenName];
