Skip to content
docsv0.1.0

HmacCsrfGuard

HMAC-SHA256 {@see CsrfGuardInterface}: a token is a base64url-encoded JSON payload (`route`, `issuedAt`, `expiresAt`, `nonce`, `signature`) whose `signature` binds the payload to the session id it was issued for via `hash_hmac('sha256', $sessionId . "\n" . json_encode($payload), $secret)`. Stateless — no storage, no server-side lookup — verification is pure recomputation-and-compare with {@see hash_equals()}. A token issued for one session/route pair fails verification for any other.

HmacCsrfGuard::__construct()

public function __construct(string $secret, int $ttlSeconds = 3600, int $clockSkewSeconds = 30):

Parameters

Parameters of __construct()
NameTypeDescription
$secretstring
$ttlSecondsint
$clockSkewSecondsint

HmacCsrfGuard::issueToken()

public function issueToken(string $sessionId, string $route): string

Issues a new HMAC-signed token bound to `$sessionId` and `$route`, valid for `$ttlSeconds` from now.

Parameters

Parameters of issueToken()
NameTypeDescription
$sessionIdstring
$routestring

HmacCsrfGuard::verifyToken()

public function verifyToken(string $token, string $sessionId, string $route): bool

Verifies `$token` was issued by {@see issueToken()} for this exact `$sessionId`/`$route` pair and has not expired (within the configured clock-skew tolerance). Returns `false` — never throws — for a malformed, mismatched, or expired token.

Parameters

Parameters of verifyToken()
NameTypeDescription
$tokenstring
$sessionIdstring
$routestring