Jump to content

How does csrf token add security for form submission?


Recommended Posts

I know, csrf token is like a random string. Does every form need a csrf token? Does every form need to have a different csrf token or all forms have a same csrf token for one logged in user? When an user logged in, I set $_SESSION['key']=$useremail; is it ok to set email for a logged in session? Do I have to set or add another $_SESSION with csrf token? How does csrf token add security for form submission? After form submission, what would PHP do with the hidden input field or with the csrf token?

Link to comment
Share on other sites

Well, when the user first visit a website the token is generated and stored in sessions then when he/she submits his information in a form the token is sent along with the info. That way it has to be her/him that enter the data from that browser and the only way it can theoretically happen to be another user would be that user would have to use the same browser on that computer.  For more info check out -> https://owasp.org/www-community/attacks/csrf

Edited by Strider64
Link to comment
Share on other sites

This thread is more than a year old.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.