nonce4php

A nonce manager PHP library useful for preventing CSRF and replay attacks.

We may find several articles and videos explaining the vulnerabilities that nonces try to prevent:

• YouTube - Jmaxxz - CSRF Explained
• YouTube - Professor Messer - Cross-site Request Forgery
• YouTube - Professor Messer - Replay Attacks
• YouTube - Hak5 - How to Hack Wireless Remotes with Radio Replay Attacks
• Coding Horror - Preventing CSRF and XSRF Attacks
• acunetix - CSRF Attacks, XSRF or Sea-Surf
• SitePoint - How to Prevent Replay Attacks on Your Website

It seems, though, that many PHP nonces libraries are too restrictive, coupled with some framework, hard to use or hard to understand how they work.

pedroac/nonce tries to solve those issues.

It allows choosing any PSR-16 implementation to store temporarily the nonces, nonces values generators, expiration intervals and even a DateTime provider to override the clock system (this feature is used for unit tests).

It also provides helpers to manage input, generate random nonces names and values, verify submitted tokens against the nonce and generate HTML elements.

• PHP 7.1 or later: http://php.net/downloads.php
• Composer: https://getcomposer.org
• At least one PSR-16 implementation. Examples:
  • symfony/cache
  • matthiasmullie/scrapbook

Run the command:

composer require pedroac/nonce

• Using Symfony ArrayCache
• CLI test
• HTML form using a session
• HTML form using an auto generated nonce name
• HTML form using a helper

The HTML forms can be tested using a PHP built-in web server.
From the php/examples folder run the command:

php -S localhost:8000

Use the URL http://localhost:8000/ in a browser.

1. Create a nonce form helper:

<?php
require __DIR__ . '/../vendor/autoload.php';

use SymfonyComponentCacheSimpleFilesystemCache;
use pedroacnonceNoncesManager;
use pedroacnonceFormHtmlNonceField;
use pedroacnonceFormNonceForm;

// this handles automatically the input and nonce management
$form = new NonceForm(
    'token', // the HTML input name
    new NoncesManager(
      new FilesystemCache // a PsrSimpleCacheCacheInterface implementation
    )
);
// this will be used to generate a HTML input element
$htmlField = new HtmlNonceField($form);

2. Check if a valid token was submitted:

if ($form->isSubmittedValid()) {
  /**
   * handle the success:
   * - if all form input is valid, show success page;
   * - otherwise, show an error page and the form again;
   */
}

3. Check if an invalid token was submitted:

if ($form->isSubmittedInvalid()) {
  /**
   * handle failure:
   * - don't show the form again;
   * - show an error message;
   */
}

4. Implement the HTML form:

<form method="POST">
    <?= $htmlField ?>
    <!-- more HTML -->
    <input type="submit" name="myform" value="Submit" />
</form>

The nonce is expired automatically when the token is verified with the NonceForm class.

1. Instantiate a nonce manager:

<?php
require __DIR__ . '/../vendor/autoload.php';

use SymfonyComponentCacheSimpleFilesystemCache;
use pedroacnonceNoncesManager;

$manager = new NoncesManager(new FilesystemCache);

2. When a request is submitted, validate the submitted token and remove the nonce:

$isValidToken = false;
$isValidForm = false;
$wasSubmitted = filter_has_var(INPUT_POST, 'myform');
$tokenName = filter_input(INPUT_POST, 'token_name');
$tokenValue = filter_input(INPUT_POST, 'token_value') ?? '';

if ($tokenName) {
    $isValidToken = $manager->verifyAndExpire($tokenName, $tokenValue);
}
if ($wasSubmitted && $isValidToken) {
    // validate input
}

3. Generate a nonce when appropriate:

if (!$wasSubmitted || (!$isValidForm && $isValidToken)) {
  $nonce = $manager->create();
}

4. Use the nonce name and value to build, for instance, a HTML form:

<?php if ($nonce) : ?>
  <input type="hidden"
        name="token_name"
        value="<?= htmlspecialchars($nonce->getName()) ?>" />
  <input type="hidden"
        name="token_value"
        value="<?= htmlspecialchars($nonce->getValue()) ?>" />
  <input type="submit" name="myform" value="Submit" />
<?php endif; >

Besides the nonces cache storage, it's possible to select the random nonce value generator and the expiration interval:

<?php
require __DIR__ . '/../vendor/autoload.php';

use SymfonyComponentCacheSimpleArrayCache;
use pedroacnonceNoncesManager;
use pedroacnonceRandomHexRandomizer;

$manager = new NoncesManager(
    new ArrayCache(60),
    new HexRandomizer(32), // a pedroacnonceRandom implementation
    new DateInterval('PT3H')
);

It's also possible to create a nonce with a specified name:

$user_id = $_SESSION['user_id'];
$tokenName = "{$user_id}_form";
$nonce = $manager->create($tokenName);

NonceForm default input source is $_POST, but it accepts any array input:

$form = new NonceForm(
    'token',
    new NoncesManager(
      new FilesystemCache
    ),
    filter_input_array(INPUT_GET) // use $_GET
);

Run from the library root folder:

php/vendor/bin/phpunit php/tests/ -c php/tests/configuration.xml

If the tests were successful, php/tests/coverage-html should have the code coverage report.

Run from the library root folder:

sh scripts/generate-docs.sh

The generated documentation should be inside the folder docs.

It should be used SemVer for versioning.

• Pedro Amaral Couto - Initial work - https://github.com/pedroac

pedroac/nonce is released under the MIT public license.
See the enclosed LICENSE for details.

The library was developed as a private request response made by a Stackoverflow user.