colap Posted September 7, 2020 Share Posted September 7, 2020 I know, csrf token is like a random string. Does every form need a csrf token? Does every form need to have a different csrf token or all forms have a same csrf token for one logged in user? When an user logged in, I set $_SESSION['key']=$useremail; is it ok to set email for a logged in session? Do I have to set or add another $_SESSION with csrf token? How does csrf token add security for form submission? After form submission, what would PHP do with the hidden input field or with the csrf token? Quote Link to comment Share on other sites More sharing options...
Strider64 Posted September 7, 2020 Share Posted September 7, 2020 (edited) Well, when the user first visit a website the token is generated and stored in sessions then when he/she submits his information in a form the token is sent along with the info. That way it has to be her/him that enter the data from that browser and the only way it can theoretically happen to be another user would be that user would have to use the same browser on that computer. For more info check out -> https://owasp.org/www-community/attacks/csrf Edited September 7, 2020 by Strider64 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.