UForm Fork me on GitHub

CSRF Protection

CSRF protection is necessary for security reason.

UForm's builder takes care of CSRF processing and can check the validity of a given token. The only one condition is that you tell it how to retrieve and check token validity.

Implement CSRF Interface

The first step is to implement the interface UForm\Validator\Csrf\CsrfInterface

The following example shows you a very basic CSRF example:

  <?php

  use UForm\Validator\Csrf\CsrfInterface;

  class MyCsrfImplementation implements CsrfInterface
  {

    protected $tokenHandler;

    function __construct(TokenHandler $tokenHandler)
    {
      $this->tokenHandler = $tokenHandler;
    }

    public function getToken(){
      return $this->tokenHandler->getCsrfToken();
    }

    public function tokenIsValid($token){
      return $this->tokenHandler->isValid($token);
    }

  }

Tell UForm's builder about your CSRF implementation

There are two ways to pass a CSRF implementation : globally or locally

Set a global CSRF implementation

UForm environment is used to globally store your CSRF implementation.

  use UForm\Environment;
  use UForm\Builder;

  $myCsrfImplementation = new MyCsrfImplementation($myTokenHandler);

  Environment::setCsrfResolver($myCsrfImplementation);

  // Now UForm's builder is aware of your token
  // and it's transparent to use it
  // Just do :
  $form = Builder::init()->getForm();

  // $form is protected by csrf

Set a local CSRF implementation

Sometimes you dont want to put a global instance of the CSRF implementation, then you can use the builder options:

  use UForm\Environment;
  use UForm\Builder;

  $myCsrfImplementation = new MyCsrfImplementation($myTokenHandler);

  $builderOptions = [
    "csrf" => $myCsrfImplementation
  ];

  $form = Builder::init("action", "POST", $builderOptions)->getForm();

  // $form is protected by csrf

Change the name of the CSRF element

When the builder creates a CSRF, it actually creates an hidden field with a name set automatically. In some edges cases you want to use a custom name for this hidden field. The builder option csrf-name can do it:

  use UForm\Builder;

  $myCsrfImplementation = new MyCsrfImplementation($myTokenHandler);

  $builderOptions = [
    "csrf" => $myCsrfImplementation,
    "csrf-name" => "customName"
  ];

  $form = Builder::init("action", "POST", $builderOptions)->getForm();

  // The generated hidden will have the name "customName":
  // <input type="hidden" name="customName" />