mini\CSRF
class
Documentation
WordPress-inspired nonce (CSRF) token system
Tokens are self-contained with action, timestamp, and IP address, signed with HMAC using session ID, user agent, and application salt.
Usage: $nonce = new CSRF('delete-post'); render('form.php', ['nonce' => $nonce]);
// In template:
<form method="post"> <?= $nonce ?> ... </form>// Verify: $nonce = new CSRF('delete-post'); if ($nonce->verify($_POST['nonce'])) { // Process form }
Inheritance
Implements:
Stringable
Properties (3)
private
string $action
private
string $fieldName
private
?
string $token
Methods (6)
Create a CSRF token for a specific action
Build signature key from hard-to-guess components
Generate a new token with current timestamp and IP
Get the token string (lazy generation)
Verify a token
Output hidden input field