Csrf Contracts
This page covers the behavior you can rely on when integrating with the Csrf package.
Token key contract
The package uses one fixed key name:
csrf-token
That key is used for session storage and for request lookup during validation.
Token generation contract
$token = csrf()->generateToken($key);
generateToken() creates a token only when the current session does not already hold one.
Practical effect:
- the first call stores and returns a token
- later calls return the same token for the current session lifecycle
- generating a token again does not rotate it automatically
If you want a fresh token after a successful submission, call csrf_token() or generateToken() again after validation cleared the previous one.
Validation contract
csrf()->checkToken(request());
checkToken() requires the request to expose a token under csrf-token.
Validation rules:
- if the request does not contain a token, the package throws
CsrfException - if the request token does not exactly match the session token, the package throws
CsrfException - if the tokens match, the package returns
true
Single-use contract
Successful validation immediately clears the token state:
- deletes
csrf-tokenfrom session storage - deletes
csrf-tokenfrom the current request input - deletes
X-csrf-tokenfrom the current request headers
That means the same token is not meant to pass validation twice in the same session.
Session dependency contract
Csrf builds itself around the current Session package instance.
If your application does not have working session storage, token generation and validation cannot behave correctly.
Failure behavior
The package exposes two validation failures:
- missing token
- token mismatch
Both failures are raised as CsrfException instances. The package does not return false for validation failure.