CSRF prevention

[kellyjg]

I have a question about Cross-Site Request Forgeries (CSRF).

 

Somewhere in the processing of my form, I check:

 

if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) {
     // all other code omitted
} else {
     // no place for bad guys here
}

 

So basically, if the token is good then the form continues to check for errors, valid data, etc...

 

I was wondering; is there a point in checking the token again each time I check something else?

 

For example:

 

// above code omitted
if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) {
     // all other code omitted
    // check to see if there were any errors
    if  (count($errors) >= 1) {
$valid = false;								
   } else {
       // all other code omitted
       if ($sent == $allowed) {									
            if ($addNew == true) {// Should I be checking the token each time, or am I being redundant??
                // all other code omitted
            }
       }
   }
} else {
     // no place for bad guys here
}

[fortnox007]

I would love to know that too, any security guru online?

[shlumph]

I generate a hash whenever a form is created, and include it in a hidden field. When you validate the form, also validate the hash value.

[fortnox007]

mind giving a short example if it isn't too much work? And can't they edit the hidden field?

[shlumph]

If they edit the hidden field, it won't pass the validation. It's pretty much what you have:

<?php
//Generate random hash, store in $_SESSION['token'], also place in hidden field

//When the form is being validated, check if the token is correct
if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) {

//If the token isn't valid, then throw an exception or act accordingly

[fortnox007]

Thanks alot for sharing m8!