waynewex Posted October 17, 2009 Share Posted October 17, 2009 In order to prevent CSRF on certain links, I have in place something like this: <a href="logout.php?sid=<?php echo session_id(); ?>">Logout</a> Then I check to see whether or not the session_id matches the sid in the URL. Is this method pretty safe? I know that SIDs are pretty near impossible to guess. Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted October 17, 2009 Share Posted October 17, 2009 That should be adequate protection. Any kind of random token will suffice. Quote Link to comment Share on other sites More sharing options...
waynewex Posted October 17, 2009 Author Share Posted October 17, 2009 That should be adequate protection. Any kind of random token will suffice. Thanks. It's just that any examples of protection against CSFR were based around post values. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.