Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Rob Allen:
Slim-Csrf with Slim 3
Aug 25, 2015 @ 09:49:48

In a post to his site Rob Allen shows you how to help secure your Slim 3-based applications with the help of the slim3-csrf package. A CSRF (cross-site request forgery) attack happens when another site requests a page in your application, possibly performing an action.

In addition to the core Slim framework, we also ship a number of add-ons that are useful for specific types of problems. One of these is Slim-Csrf which provides CSRF protection. This is middleware that sets a token in the session for every request that you can then set as an hidden input field on a form. When the form is submitted, the middleware checks that the value in the form field matches the value stored in the session. If they match, then the all is okay, but if they don't then an error is raised.

He shows how to add the middleware to your Slim 3 application and how to add the token to each form. The library generates random values for both the name of the token and the value making it compatible with applications that may involve multiple browser windows. He also shows you how to validate the token, either using the built-in "Guard" handling or manually by deferring the check to the route.

tagged: slim3 csrf token package library install configure validate

Link: http://akrabat.com/slim-csrf-with-slim-3/

Barry vd. Heuvel:
OAuth in Javascript Apps with Angular and Lumen, using Satellizer and Laravel Soci
Jul 22, 2015 @ 09:51:49

Barry vd. Heuvel has a post to his site sharing a step by step guide to setting up OAuth in a Lumen+AngularJS application via Socialite and Satellizer (an AngularJS library for OAuth and token based authentication).

In the last few weeks, Socialite was a popular topic to blog/tweet about. Coincidentally, I also needed Socialite for a project. But in my case, I wanted to use it in an Angular app, distributed using Cordova (Phonegap) as hybrid app on Android/iOS. There were some examples, but I couldn’t find much about it at the time. A few people asked to share my experience about it, so here it is!

He starts by linking to all of the tools you'll need to help get some background on them including a helpful guide to installing Satellizer. He then goes over the flow of the entire process, from the initial call from the AngularJS side to authenticate, through the backend Lumen/Socalite/Satellizer handling and then back out to the Javascript where the token is then stored. With this established, he gets into the implementation details starting with the Lumen code to make the API request to GitHub then working with the JWT tokens and responding back to the AngularJS frontend with the result.

tagged: angularjs lumen framework tutorial socialite satellizer oauth jwt token

Link: http://barryvdh.nl/laravel/lumen/angular/2015/07/19/oauth-in-javascript-apps-with-angular-lumen-using-satellizer-laravel-socialite/

Scotch.io:
Token-Based Authentication for AngularJS and Laravel Apps (continued)
Jul 06, 2015 @ 11:57:54

Scotch.io has posted the second part of their series (here's part one) continuing their look at using tokens for authentication in an AngularJs+Laravel application. They pick up where they left off in the previous part and focus on adding more of the systems around the token.

In the tutorial on Scotch.io we created a new app called jot-bot to look at how to implement token-based authentication in AngularJS and Laravel by using jwt-auth and Satellizer together. On the Laravel side, jwt-auth let’s us generate JSON web tokens when the user inputs their credentials. [...] There were a few things for a complete authentication solution that we didn’t get to in the last tutorial, including: Setting the logged-in user’s data (such as name and email address) and their authentication status, a way to redirect the user to the login page if they become logged out and how to log the user out and the implications of token-based authentication on logout.

He starts by updating the AuthenticateController to handle getting the authenticated user based on the token information. He also adds the matching route and show the kind of data it should return. He then switches to the Angular side and creates the controller to hook into the backend and get the current user information. The tutorial then shows how to relay user information back to the view and what it might look like. He then goes through a similar process for adding the logout handling including redirecting the user when logged out. Finally, he shows how to initialize the user on the frontend when the application loads, pulling the data from localstorage and checking for a valid existing session.

tagged: scotchio token authentication angularjs laravel application series part2

Link: http://ryanchenkie.com/token-based-authentication-for-angularjs-and-laravel-apps/

Gonzalo Ayuso:
Token based authentication with Silex and AngularJS
Jun 09, 2014 @ 10:33:37

Gonzalo Ayuso has posted a tutorial showing how to use token-based authentication with a Silex-based application through a request from AngularJS.

According to my last post today we’re going to create a AngularJS application that uses the Silex Backend that we create previously. The idea of this application is to use it within a Phonegap/Cordova application running in a mobile device.

He includes the code (and markup) you'll need to make the request work. Basically, it uses a standard HTTP service from inside AngularJS to fetch the token and store it in the client's localstorage. The rest of the code does the checking to see if the user is logged in (the token exists) or if it needs to sow the login form. The "logged in" route also displays an alert to the user with the info (pulled from the API) for their user. The full code for the example can be found over on GitHub.

tagged: token authentication silex angularjs tutorial login localstorage

Link: http://gonzalo123.com/2014/06/09/token-based-authentication-with-silex-and-angularjs/

Gonzalo Ayuso:
Token based authentication with Silex Applications
May 06, 2014 @ 10:56:32

Gonzalo Ayuso has put together a new post for his site showing how to do token-based authentication with Silex and the help of a few additional Symfony components.

What happens if we want to use a security layer [in a Silex application]? We can use sessions. Sessions are the “standard” way to perform authentication in web applications, but when our application is a PhoneGap/Cordova application that uses a Silex server as API server, sessions aren’t the best way. The best way now is a token based authentication. The idea is simple. First we need a valid token. Our API server will give us a valid token if we send valid credentials in a login form. Then we need to send the token with each request (the same way than we send the session cookie with each request).

He includes all the code you'll need to follow along. His example shows a basic Silex application that fetches the token from the URL and uses middleware to handle the validation. There's a bit of CORS mixed in as well to make the cross-domain requests from the applications possible. He creates a service provider (for logins) and controller provider to handle each type of request.

tagged: token authentication silex application tutorial

Link: http://gonzalo123.com/2014/05/05/token-based-authentication-with-silex-applications/

9Lessons.info:
Login with GitHub OAuth using PHP
Feb 11, 2014 @ 11:36:57

On the 9lessons.info site they've posted a new tutorial showing you how to login with GitHub via OAuth via a custom script.

Nowadays GitHub.com(web based hosting service) is the most import part in developer’s life. In this I want to discuss how to implement GitHub OAuth login system for your web project, this is very simple adopt and sure it will helps you to increase your web project registrations. Please check my previous posts for Google, Facebook and Instagram OAuth login system scripts.

The system uses a simple database to store the current user information and their Github ID. They walk you through the flow of creating a new application on the Github site and include the scripts to make the initial request, redirect to the Github site for authorization and handle the callback correctly.

tagged: github oauth tutorial token

Link: http://www.9lessons.info/2014/02/login-with-github-oauth-php.html

Lorna Mitchell:
OAuth Middleware for Slim
Oct 09, 2013 @ 11:53:37

Lorna Mitchell has posted about some middleware for the popular Slim (micro)framework that helps with OAuth functionality.

OAuth can be anything you want it to be, the standards are lax and give you plenty of room for getting the right implementation for your system. However you proceed, though, you'll need to check an access token on every request - and in a Slim application, a middleware can help enormously since it hooks in to every request by design. I've recently implemented this and thought I would share.

She's created a basic middleware component that can be easily dropped into the framework to handle the checking of the tokens via an "AuthService" object. She also includes a brief snippet of how she generates the codes, combining the output of bin2hex and openssl_random_pseudo_bytes.

tagged: oauth middleware slim access token validation generate

Link: http://www.lornajane.net/posts/2013/oauth-middleware-for-slim

Pádraic Brady:
Stateful vs Stateless CSRF Defences: Know The Difference
Aug 13, 2013 @ 09:49:00

In this new post to his site, Pádraic Brady looks at two methods for generating CSRF (cross-site request forgery) tokens to help protect your application. It's not a tutorial, per se...more of a comparison of two methods: stateful and stateless CSRF tokens.

The difference between Stateful and Stateless CSRF defences is that the former requires storing the CSRF token on the server (i.e. session data) while the latter does not, i.e. the server has zero record of any CSRF tokens. As far as the server is concerned, the number of parties with persistent knowledge of a valid token is reduced to just one – the client. [...] Let’s compare both types of CSRF protections.

He introduces the concepts behind both types of token generation, pointing out that most of the PHP frameworks out there rely on the stateful option (the "synchronizer" method). The other method ("double submit") actually involves two tokens, one in the POST content and the other as a cookie value. He also dissects this other stateless concept article he found and how its method of generation may not be ideal.

Like most attacks, CSRF does not exist in isolation so developing a good defence requires mitigating other attacks. [...] Any good CSRF token implementation, whether stateful or stateless, should reflect those requirements with features for limiting tokens by scope and time.
tagged: csrf token stateless stateful difference doublesubmit random synchronizer

Link: http://blog.astrumfutura.com/2013/08/stateful-vs-stateless-csrf-defences-know-the-difference

Joseph Scott:
Stateless CSRF Tokens
Aug 02, 2013 @ 11:16:44

Joseph Scott has a recent post to his site looking at the idea of stateless CSRF tokens and how to create them while avoiding the typical "store them in a session" mentality.

This is all fine and good until you want to avoid using PHP sessions. Perhaps you have several web servers and don’t want to deal with shared session storage. Or have servers in multiple data centers and don’t want to try and sync state across them. What ever the reason, popping a token into $_SESSION isn’t an option in this case. In short you want some sort of stateless CSRF token.

He looks at two methods to help get around this issue. The first method is based on known values that won't change very frequently (say, maybe 24 hours). His second method, however, has a bit more strength to it. His idea uses a combination of a key, the current time, a timeout and a known string of data - all base64 encoded.

tagged: csrf token stateless tutorial session base64 timeout microtime

Link: https://josephscott.org/archives/2013/07/stateless-csrf-tokens

Anthony Ferrara:
Preventing CSRF Attacks
Feb 20, 2013 @ 09:36:41

Anthony Ferrara has written up a new post to his site looking at efective use of CSRF tokens and a few different strategies for generating them.

There's been a bit of noise in the past week about the proper way to prevent Cross-Site-Request-Forgery (CSRF) attacks. It seemed to have started with this post. There's been discussion in the comments, and on Twitter about it, and there seems to be several opposing viewpoints on the matter. I want to start off by saying that I agree completely with the post in question. But I figured I'd write a post to explain WHY I agree with it.

He starts with an overview of a few of the common types of request forgery including from a javascript injection, a Man-in-the-Middle attack and a replay attack. He then breaks up the "lines of defense" part of the post into three different sections - adding a hidden token field to forms, changing the token for each request and using random numbers when regenrating them.

tagged: csrf attack prevention overview token generation tutorial

Link: