I am new with this word “CSRF token”,How can I implement CSRF token in my php,by the way where this should be use I really don’t have idea on this.I just accidentally found this by browsing in google.so I immediately post question here,I know lots of sitepoint people here are familiar with this.
Most people actually ARNT familiar with CSRF. And while it is possible to create a CSRF token framework, what exactly are you trying to protect and prevent?
While I haven’t bee pretty failthful implementing this on my own websites, what you basically do is generate a token of some kind
function generate_secure_token($length = 16) {
/* important! this has to be a crytographically secure random generator */
return bin2hex(openssl_random_pseudo_bytes($length));
}
This is utilitizes open_ssl (BTW -which be a bugger to get working on Windows ) an I usually stick up top in a utility file of some sort.
can you please show how do you compare,by the way so when you submit the form, in your server side you grab the hidden value ?then you compare it to this $_SESSION[‘actionToken’],
example:
if(isset( $_SESSION['actionToken']) && $_SESSION['actionToken'] == $hiddencsrftoken){
// do some stuff here...
}
Sally opens the URL (again, usually hidden), and because the cookie is on Sally’s PC, the cookie gets sent as well, authenticating the request as if Sally had done so.
How does a session variable counteract that?
Sally logs in, which creates a session ID.
John has to send Sally the URL before the session expires, or it wont work anymore (because she’s logged out after X minutes, for example).
How does a CSRF Token counteract it?
Whenever Sally visits yourwebsite.com/doactionform.php, the page generates a unique token, and stores it somewhere (database most common). It also puts it into a hidden field of the form.
John sends Sally a URL to the processing page.
Sally opens the URL, but the processing page detects no token was passed, and rejects the action, even if Sally’s signed in.
If Sally did actually go to the form, fill it out, and hit the submit button, the processing page reads the token,verifies it against the database, erases the token from the database (thus preventing it from being reused!), and processes the action.
It’s a more server intensive system, obviously, which is why i asked what it is you’re using it for.