I have a question about Cross-Site Request Forgeries (CSRF).
Somewhere in the processing of my form, I check:
if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) {
// all other code omitted
} else {
// no place for bad guys here
}
So basically, if the token is good then the form continues to check for errors, valid data, etc...
I was wondering; is there a point in checking the token again each time I check something else?
For example:
// above code omitted
if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) {
// all other code omitted
// check to see if there were any errors
if (count($errors) >= 1) {
$valid = false;
} else {
// all other code omitted
if ($sent == $allowed) {
if ($addNew == true) {// Should I be checking the token each time, or am I being redundant??
// all other code omitted
}
}
}
} else {
// no place for bad guys here
}