anonymous_token

This module generates and validates CSRF tokens for anonymous users.

By default Drupal generates CSRF tokens only for authenticated users.

See also Anonymous forms vulnerable to CSRF not considered a vulnerability and #1803712: Allow form tokens to be used on anonymous forms in some cases.

7.x-1.x

1. Install and activate module
2. Check CSRF token for anonymous users

8.x-1.x

See CSRF Anonymous Token for the Drupal 8 variant of this module's 7.x-1.x branch.

2.x / 3.x

The 2.x release of this module is completely different in design, implementation, and purpose. Version 2.0+ of this module does not wire up anonymous CSRF protection automatically. Rather, you must explicitly wire up each route you wish to protect *.routing.yml and enable CSRF token protection for each route via specifying _anonymous_csrf_token: 'TRUE' in the route's declaration.

You will also need to call this module's AnonymousCsrfTokenGenerator service that wraps the CsrfTokenGenerator from Core in order to complete the implementation:

/** @var \Drupal\anonymous_token\Access\AnonymousCsrfTokenGenerator $csrf_token_service */
$csrf_token_service = \Drupal::service('anonymous_token.csrf_token');

// The path is an optional argument for generating and validating CSRF tokens.
$path = 'example-path';

// Generate a CSRF token.
$csrf_token = $csrf_token_service->get($path);

// Example manual CSRF token validation, if not via the route access checker.
if ($csrf_token_service->validate($csrf_token, $path) === FALSE) {
  throw new AccessDeniedHttpException('Invalid token');
}