hydrakit/csrf 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

hydrakit/csrf

Composer 安装命令:

composer require hydrakit/csrf

包简介

CSRF library for Hydra PHP framework

README 文档

README

Synchronizer-token CSRF protection: one secret token per session, compared in constant time against whatever an unsafe request submits. State lives entirely in the session, so the guard is stateless and the package ships no ServiceProvider — the guard autowires from the session binding.

How it works

CsrfGuard::token() mints the token lazily on first read (typically when a view renders a form or the layout's meta tag) and returns the same value for the life of the session. It's hex, so it's safe to embed in HTML attributes, JSON (hx-headers), and headers without further encoding. validate() is read-only — it compares with hash_equals and never mints.

VerifyCsrfTokenMiddleware lets safe methods (GET/HEAD/OPTIONS) through untouched — a GET is what mints the token in the first place — and requires a matching token on every other method (POST/PUT/PATCH/DELETE, but also any WebDAV or custom verb — the safe list is an allowlist, so unknown verbs fail closed), else a 403 before the request reaches a controller. The token is read from the X-CSRF-Token header first (htmx and AJAX clients send it automatically once the layout is wired) and falls back to the _token form field.

Place this middleware inside the session middleware in the stack — it needs the session started so the guard can read the stored token.

Rotating

OWASP recommends rotating the CSRF token on authentication. Note that SessionInterface::regenerate() keeps the data, including this token, so the token survives a session-id rotation — call rotate() explicitly:

public function login(ServerRequestInterface $request): ResponseInterface
{
    // ... verify credentials ...

    $session->regenerate(); // new session id (fixation defence)
    $guard->rotate();       // new CSRF token (regenerate() alone keeps the old one)

    return redirect('/dashboard');
}

rotate() discards the stored token and mints, stores and returns a fresh one. Tokens embedded in already-rendered pages stop validating immediately, so call it where you're navigating anyway (the login POST handler).

统计信息

  • 总下载量: 0
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 1
  • 依赖项目数: 2
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2026-07-07

承接程序开发

PHP开发

VUE

Vue开发

前端开发

小程序开发

公众号开发

系统定制

数据库设计

云部署

网站建设

安全加固