ExpertRefresh

Security / Csrf prevention  

1) What is A cross Site Request Forgery?








CSRF Cross-Site Request Forgery Atack: Embed an image in some arbitrary Web site example.org
<img src="">
If it happend that you are logged on shop.com and you browse example.org, you'll make a purchase, even if you don't want to. The token method involves the use of a randomly generated token that is stored in the user's session when the user accesses the form page and is also placed in a hidden field on the form. <?php session_start(); if (isset($_POST['btn_submit'])) { if (isset($_SESSION['token']) && isset($_POST['token']) && $_POST['token'] == $_SESSION['token']) { echo 'Accepted'; } else { echo 'Denied'; } } $token = md5(uniqid(rand(), TRUE)); $_SESSION['token'] = $token; ?> <form method="POST"> <input type="hidden" name="token" value="<?php echo $token; ?>" /> <input type="submit" name="btn_submit"/> </form>


References