Skip to content
docsv0.1.0

CsrfGuardInterface

Issues and verifies per-session, per-route CSRF tokens for the live interaction endpoint. A token issued for one `$sessionId`/`$route` pair MUST NOT verify for a different session or route — implementations bind both into the token rather than treating it as an opaque, globally-valid secret.

CsrfGuardInterface::issueToken()

abstract public function issueToken(string $sessionId, string $route): string

Issues a new token bound to the given session and route.

Parameters

Parameters of issueToken()
NameTypeDescription
$sessionIdstring
$routestring

CsrfGuardInterface::verifyToken()

abstract public function verifyToken(string $token, string $sessionId, string $route): bool

Verifies a token was issued by {@see issueToken()} for this exact session and route, and has not expired. MUST NOT throw on a malformed token — an invalid token is a normal, expected input and is reported via the boolean return, not an exception.

Parameters

Parameters of verifyToken()
NameTypeDescription
$tokenstring
$sessionIdstring
$routestring