Jump to content

Recommended Posts

How much work do you to stop CSRF? Like, I've made sure when changing passwords/e-mails (or anything related to account security) they have to confirm their own password so CSRF can't really do much.

 

I've got a header referral check on everything but this is really easy to spoof so without putting hidden tokens in each form is there any easier way?

 

I can't really be bothered and the worst thing they can do is get a user to post a spam post on my forum or something trivial.

 

How far do you take it?

Link to comment
https://forums.phpfreaks.com/topic/261773-csrf/
Share on other sites

The problem isn't that you're not using CSRF tokens,

I can't really be bothered

That is the problem. As a user I find it distressing when the person/people maintaining a site I use simply don't care. You just shrug off spam? That shows you have no interest in the health of the forum, and if you don't care then why should I?

Link to comment
https://forums.phpfreaks.com/topic/261773-csrf/#findComment-1341458
Share on other sites

My form class extends a token class I've made.

 

It was very little extra work for me to add tokens to my forms ;)

 

I wouldn't call a CSRF header injection easy though. It's quite tricky to spoof the referrer of another client's browser. Many corporate proxies or paranoid users won't send the referrer header on a legit request, though.

Link to comment
https://forums.phpfreaks.com/topic/261773-csrf/#findComment-1341471
Share on other sites

I wouldn't call a CSRF header injection easy though. It's quite tricky to spoof the referrer of another client's browser. Many corporate proxies or paranoid users won't send the referrer header on a legit request, though.

 

I feel that checking the referer is pointless because it can be spoofed. Plus, as you said, it might not even bet set.

Link to comment
https://forums.phpfreaks.com/topic/261773-csrf/#findComment-1341513
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.