kellyjg Posted July 2, 2010 Share Posted July 2, 2010 I have a question about Cross-Site Request Forgeries (CSRF). Somewhere in the processing of my form, I check: if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) { // all other code omitted } else { // no place for bad guys here } So basically, if the token is good then the form continues to check for errors, valid data, etc... I was wondering; is there a point in checking the token again each time I check something else? For example: // above code omitted if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) { // all other code omitted // check to see if there were any errors if (count($errors) >= 1) { $valid = false; } else { // all other code omitted if ($sent == $allowed) { if ($addNew == true) {// Should I be checking the token each time, or am I being redundant?? // all other code omitted } } } } else { // no place for bad guys here } Quote Link to comment Share on other sites More sharing options...
fortnox007 Posted September 1, 2010 Share Posted September 1, 2010 I would love to know that too, any security guru online? Quote Link to comment Share on other sites More sharing options...
shlumph Posted September 2, 2010 Share Posted September 2, 2010 I generate a hash whenever a form is created, and include it in a hidden field. When you validate the form, also validate the hash value. Quote Link to comment Share on other sites More sharing options...
fortnox007 Posted September 2, 2010 Share Posted September 2, 2010 mind giving a short example if it isn't too much work? And can't they edit the hidden field? Quote Link to comment Share on other sites More sharing options...
shlumph Posted September 2, 2010 Share Posted September 2, 2010 If they edit the hidden field, it won't pass the validation. It's pretty much what you have: <?php //Generate random hash, store in $_SESSION['token'], also place in hidden field //When the form is being validated, check if the token is correct if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) { //If the token isn't valid, then throw an exception or act accordingly Quote Link to comment Share on other sites More sharing options...
fortnox007 Posted September 2, 2010 Share Posted September 2, 2010 Thanks alot for sharing m8! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.