Reputation: 6480
Would this stop Cross-site request forgery attempt?
I am thinking of a way to stop Cross-site request forgery attack as part of my secure coding class.
I am thinking that if I could block attempt to connect to my website with different address than one that page is located at... But would that work? If not, what would be better approach?
What if I did this as my attempt:
// assuming my page is still on 192.168.195.128
if($_SERVER['REQUEST_METHOD'] == 'POST' &&
$_SERVER["HTTP_HOST"] != "192.168.195.128")
{
echo 'Cross-site request forgery attempt!';
}
else
{
// continue normal execution
}
Upvotes: 2
Views: 124
Answers (1)
Reputation: 163234
No, that won't do anything to stop CSRF.
What you need is a token of some kind that is passed to the user to be sent back on a form submission. This token should only be used once, and in a specific place.
CSRF works by sending a generic request to a different site than the user is currently on, generally taking advantage of the fact that they are already authenticated and what not on the site being attacked. These requests come from the user's browser and look just like normal requests. You can check the referrer, but a simple token passed in a form is generally considered better.
Upvotes: 3
Related Questions
- How to prevent Cross-site request forgery (CSRF) effectively in PHP
- REST and CSRF (Cross-Site Request Forgery)
- CSRF (Cross-site request forgery) attack example and prevention in PHP
- How to Prevent Cross-Site Request Forgery Attack?
- Cross site request forgery
- Cross site request forgery (CSRF) mitigation
- preventing cross site request forgery in the url
- Cross-site request forgery Yii ,PHP
- How can I protect users from cross-site request forgeries using the Zend Framework?
- Any logical loop holes in this idea for preventing Cross Site Request Forgery?