CSRF token,how to implement

PHP
1

I am new with this word “CSRF token”,How can I implement CSRF token in my php,by the way where this should be use I really don’t have idea on this.I just accidentally found this by browsing in google.so I immediately post question here,I know lots of sitepoint people here are familiar with this.

Thank you in advance.

2

Most people actually ARNT familiar with CSRF. And while it is possible to create a CSRF token framework, what exactly are you trying to protect and prevent?

3

@StarLion,

Thank you for the quick reply,.so where does this be use the csrf token.?,in submitting the form ?.

what exactly are you trying to protect and prevent?

I don’t know yet how this csrf token work.,I don’t where do i apply this.

4

While I haven’t bee pretty failthful implementing this on my own websites, what you basically do is generate a token of some kind

function generate_secure_token($length = 16) {
	/* important! this has to be a crytographically secure random generator */	
	return bin2hex(openssl_random_pseudo_bytes($length));            
}

This is utilitizes open_ssl (BTW -which be a bugger to get working on Windows :smile: ) an I usually stick up top in a utility file of some sort.

The when a person logins I stick it in sessions.

$_SESSION['actionToken'] = generate_secure_token();

Then I stick in in a hidden field in a form every time a database table is accessed and compare it to the login token.

1 Like
5

@Pepster,

Nice example pepster, :smile:,so this is how it works.

can you please show how do you compare,by the way so when you submit the form, in your server side you grab the hidden value ?then you compare it to this $_SESSION[‘actionToken’],

example:

if(isset( $_SESSION['actionToken']) &&  $_SESSION['actionToken'] == $hiddencsrftoken){

  // do some stuff here...

}

is that how you compare ?

Thank you in advance.

6

Using it this way, there’s no difference between a session ID and your CSRF token.

A CSRF token is supposed to be unique to the transaction, not the session.

7

can you please show example,so that i can see the difference.

Thank you in advance.

8

@Pepster,

what is the difference in using the session Id with your generated csrf token ?. I think @StarLion has some point.

9

So what CSRF does is pretty simple:

  1. Sally logs onto yourwebsite.com. She creates a cookie, so the site can know it’s her.
  2. John sends Sally a URL (usually hidden in some way, obviously) that says yourwebsite.com?do=somethingbad.
  3. Sally opens the URL (again, usually hidden), and because the cookie is on Sally’s PC, the cookie gets sent as well, authenticating the request as if Sally had done so.

How does a session variable counteract that?

  1. Sally logs in, which creates a session ID.
  2. John has to send Sally the URL before the session expires, or it wont work anymore (because she’s logged out after X minutes, for example).

How does a CSRF Token counteract it?

  1. Whenever Sally visits yourwebsite.com/doactionform.php, the page generates a unique token, and stores it somewhere (database most common). It also puts it into a hidden field of the form.
  2. John sends Sally a URL to the processing page.
  3. Sally opens the URL, but the processing page detects no token was passed, and rejects the action, even if Sally’s signed in.

If Sally did actually go to the form, fill it out, and hit the submit button, the processing page reads the token,verifies it against the database, erases the token from the database (thus preventing it from being reused!), and processes the action.

It’s a more server intensive system, obviously, which is why i asked what it is you’re using it for.

10

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.