Quick CSRF Token

Question

So I have found a tutorial supplied on my last thread about generating a CSRF token ... Now how should I implement it?

I've tried making it generate a new token per form request (however trying to do multiple form requests makes it invalid so that's off the list) and from reading other threads making one session token per user login is the way to go.

So what is the best way? Should I make it so when a user logs in, it will just automatically assign a

   $_SESSION['CSRFToken']

And make it assign a hashed/256 bit value? And then make that session token be assigned to every form. I guess I just don't understand how CSRF works and how to actually do something about it. Basically it just sounds like I should make each user login have a session called a Security Token that appears in every form.

Thanks for all the help!

Carey · Accepted Answer

You have the basic idea down. In essence, the purpose of a CSRF token is to ensure a page cannot, say, include an iFrame which triggers something within your application. As a basic example:

Generally, generating one CSRF token per session is OK, but you may want to generate a unique token for each request, and checking that. Doing so will increase the security of your application but is not needed.

A quick reference can be found here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29

Update:

You wouldn't do it through $_REQUEST per se, you'd create something like this on the form generation page

$form_session_key = bin2hex(random_bytes(32)); // For more options see http://stackoverflow.com/a/31683058/453273
!isset($_SESSION['CSRF_CONTENTS']) ? $_SESSION['CSRF_CONTENTS'] = array() : 0;
$_SESSION['CSRF_CONTENTS'][] = $form_session_key;

//SNIP

On your processing page

!in_array($_POST['CSRF'], $_SESSION['CSRF_CONTENTS']) ? exit : 0;

The above snippet exits if the CSRF key is not within the CSRF_CONTENTS array, which is generated upon page load.

Quick CSRF Token

Answers (2)

Related Questions