kellyjg Posted July 2, 2010 Share Posted July 2, 2010 I have a question about Cross-Site Request Forgeries (CSRF). Somewhere in the processing of my form, I check: if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) { // all other code omitted } else { // no place for bad guys here } So basically, if the token is good then the form continues to check for errors, valid data, etc... I was wondering; is there a point in checking the token again each time I check something else? For example: // above code omitted if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) { // all other code omitted // check to see if there were any errors if (count($errors) >= 1) { $valid = false; } else { // all other code omitted if ($sent == $allowed) { if ($addNew == true) {// Should I be checking the token each time, or am I being redundant?? // all other code omitted } } } } else { // no place for bad guys here } Link to comment https://forums.phpfreaks.com/topic/206568-csrf-prevention/ Share on other sites More sharing options...
fortnox007 Posted September 1, 2010 Share Posted September 1, 2010 I would love to know that too, any security guru online? Link to comment https://forums.phpfreaks.com/topic/206568-csrf-prevention/#findComment-1106236 Share on other sites More sharing options...
shlumph Posted September 2, 2010 Share Posted September 2, 2010 I generate a hash whenever a form is created, and include it in a hidden field. When you validate the form, also validate the hash value. Link to comment https://forums.phpfreaks.com/topic/206568-csrf-prevention/#findComment-1106247 Share on other sites More sharing options...
fortnox007 Posted September 2, 2010 Share Posted September 2, 2010 mind giving a short example if it isn't too much work? And can't they edit the hidden field? Link to comment https://forums.phpfreaks.com/topic/206568-csrf-prevention/#findComment-1106390 Share on other sites More sharing options...
shlumph Posted September 2, 2010 Share Posted September 2, 2010 If they edit the hidden field, it won't pass the validation. It's pretty much what you have: <?php //Generate random hash, store in $_SESSION['token'], also place in hidden field //When the form is being validated, check if the token is correct if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) { //If the token isn't valid, then throw an exception or act accordingly Link to comment https://forums.phpfreaks.com/topic/206568-csrf-prevention/#findComment-1106470 Share on other sites More sharing options...
fortnox007 Posted September 2, 2010 Share Posted September 2, 2010 Thanks alot for sharing m8! Link to comment https://forums.phpfreaks.com/topic/206568-csrf-prevention/#findComment-1106476 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.