CSRF Protector project is awesome, it automatically buffers output generated by php, and attaches the javascript code to HTML output. Also attaches hidden tokens in form to support NO-JS versions.
CSRF Protector LITE On the other hand, will use the model adopted by CSRFP but developer would have to separately add client side javascript code to HTML files and php library will deal with validation of requests. This will remove added overhead of output being buffered for eachr equest and modified.
PROS:
- Faster, lesser overhead
- Remove features you don't want :)
CONS:
- Comparitively less easier to implement
Include the php library at /libs/csrf/csrfprotector.php at places where request shall be sent (submitted).
include __DIR__ .'/path/to/csrfprotector.php';
csrfprotector::init();Include the js code at places, from where the reuest shall be sent. Code is available at js/csrfprotector.js
<script type="text/javascript" src="/path/to/csrfprotector.js"></script>- The name of token is same in both
php libraryandjs library. In the php code its available online 14asdefine("CSRFP_TOKEN","csrfp_token");. In the JS library its available asCSRFP_TOKENinside theCSRFPclass.