HmacCsrfGuard
HMAC-SHA256 {@see CsrfGuardInterface}: a token is a base64url-encoded JSON payload (`route`, `issuedAt`, `expiresAt`, `nonce`, `signature`) whose `signature` binds the payload to the session id it was issued for via `hash_hmac('sha256', $sessionId . "\n" . json_encode($payload), $secret)`. Stateless — no storage, no server-side lookup — verification is pure recomputation-and-compare with {@see hash_equals()}. A token issued for one session/route pair fails verification for any other.
HmacCsrfGuard::__construct()
public function __construct(string $secret, int $ttlSeconds = 3600, int $clockSkewSeconds = 30):Parameters
| Name | Type | Description |
|---|---|---|
| $secret | string | |
| $ttlSeconds | int | |
| $clockSkewSeconds | int |
HmacCsrfGuard::issueToken()
public function issueToken(string $sessionId, string $route): stringIssues a new HMAC-signed token bound to `$sessionId` and `$route`, valid for `$ttlSeconds` from now.
Parameters
| Name | Type | Description |
|---|---|---|
| $sessionId | string | |
| $route | string |
HmacCsrfGuard::verifyToken()
public function verifyToken(string $token, string $sessionId, string $route): boolVerifies `$token` was issued by {@see issueToken()} for this exact `$sessionId`/`$route` pair and has not expired (within the configured clock-skew tolerance). Returns `false` — never throws — for a malformed, mismatched, or expired token.
Parameters
| Name | Type | Description |
|---|---|---|
| $token | string | |
| $sessionId | string | |
| $route | string |