Hello and welcome to our community! Is this your first visit?
Register
Results 1 to 8 of 8
  1. #1
    Fanatic Enthusiast Niall's Avatar

    Join Date
    Aug 2007
    Posts
    3,298

    PHP CSRF prevention

    http://shiflett.org/articles/cross-site ... -forgeries

    I'm not sure if I'm misreading this, but this wouldn't work for something like a login, would it?
    If someone revisits the page in any way, a new key will be generated for the hidden input. The $_POST key wouldn't be the same as the $_SESSION key, it would have been regenerated and it wouldn't match.

    Any way to prevent this so it works around this? I mean, even if the user logged out and in again in the same session things would go awry.

  2. #2
    lucien is queen Hazzystan's Avatar

    Join Date
    Feb 2008
    Location
    Scotland
    Posts
    2,977

    Re: PHP CSRF prevention

    Couldn't you just unset the session every time the user logs out?
    Code:
    if ($logout = 1) {
    unset($_SESSION["token"]);
    }
    what is homo love?

  3. #3
    Obsessed Veteran Adam's Avatar



    Join Date
    Nov 2004
    Location
    UK / England
    Posts
    17,271

    Re: PHP CSRF prevention

    Hence you only generate a new key if one doesn't already exist. I like to add a time threshold to indicate when a key must be renewed. Once you know the form is valid you can just dispose of the key.

  4. #4
    Fanatic Enthusiast Niall's Avatar

    Join Date
    Aug 2007
    Posts
    3,298

    Re: PHP CSRF prevention

    Ahhhhh okay, thanks for the help both of you.

  5. #5
    Obsessed Veteran Adam's Avatar



    Join Date
    Nov 2004
    Location
    UK / England
    Posts
    17,271

    Re: PHP CSRF prevention

    Quote Originally Posted by Gimli
    Couldn't you just unset the session every time the user logs out?
    Code:
    if ($logout = 1) {
    unset($_SESSION["token"]);
    }
    ^ Just noticed this will fail, your assigning not comparing ==

  6. #6
    lucien is queen Hazzystan's Avatar

    Join Date
    Feb 2008
    Location
    Scotland
    Posts
    2,977

    Re: PHP CSRF prevention

    Quote Originally Posted by Adam
    Quote Originally Posted by Gimli
    Couldn't you just unset the session every time the user logs out?
    Code:
    if ($logout = 1) {
    unset($_SESSION["token"]);
    }
    ^ Just noticed this will fail, your assigning not comparing ==
    Woops

    Code:
    if ($logout == 1) {
    unset($_SESSION["token"]);
    }
    fixed*
    what is homo love?

  7. #7
    Fanatic Enthusiast Niall's Avatar

    Join Date
    Aug 2007
    Posts
    3,298

    Re: PHP CSRF prevention

    Just to confirm, this'd be a valid implementation, correct?

    Code:
    session_start();
    
    if (!isset($_SESSION["key"])) {
    	$key = substr(hash('sha512', uniqid(rand(), true)), 0, 20).time();
    	$_SESSION["key"] = $key;
    } else {
    	$key = $_SESSION["key"];
    }
    
    if ($_POST["key"] == $_SESSION["key"]) {
    	// Continue..
    }
    the HTML being

    Code:
    <form action="" method="post">
    	<input type="hidden" name="key" value="<?php echo $key; ?>" />
    	<input type="text" name="passwordorsomething" />
    	<input type="submit" value="go" />
    </form>

  8. #8
    Obsessed Veteran Adam's Avatar



    Join Date
    Nov 2004
    Location
    UK / England
    Posts
    17,271

    Re: PHP CSRF prevention

    Seems fine. Ensure you dispose of the key or re-generate it after X time.


 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •