Reputation: 618
PHP session token can be used multipletimes?
I got page A which is a normal HTML page and page which is an AJAX response page. And I want to prevent CSRF attacks by tokens. Lets say I use this method for an autocomplete form, is it possible to use same token multiple times (of course the session is only set one time) because i tired this method but the validation keep failing after the first suggestion (obviously the token has changed, somehow)
page A
<?php
session_start();
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
?>
<input id="token" value="<?php echo $token; ?>" type="hidden"></input>
<input id="autocomplete" placeholder="Type something"></input>
....
The form is autosubmitted every time theres a change using Jquery.
page B
<?php
session_start();
if($_REQUEST['token'] == $_SESSION['token']){
echo 'Im working fine';
}
?>
Upvotes: 2
Views: 907
Answers (1)
Reputation: 1118
It would be possible to use the same token multiple times - as long as $_SESSION['token'] remains unchanged.
Every time page A is called - that token is getting overwritten. If you want to use the same token you may want to try:
<?php
session_start();
if( !isset($_SESSION['token']) ){
$_SESSION['token'] = md5(uniqid(rand(), TRUE));
}
<input id="token" value="<?php echo $_SESSION['token']; ?>" type="hidden" />
....
I would also not use $_REQUEST as that leaves your source ambiguous - I would use either $_POST or $_GET.
Upvotes: 3
Related Questions
- Codeigniter CSRF valid for only one time ajax request
- PHP - How to use csrf token in multiple forms on the same page
- Generating a session token
- CSRF token issues with multiple ajax calls
- can we hijack CSRF token by ajax request
- Prevent Ajax form double submitting using form tokens with php
- regenerate csrf token after ajax request
- security token problem with ajax requests
- PHP Session conflicts with AJAX