Reputation:
Is it possible to generate a csrf token using js and validate it using php?
In php projects, I generated a csrf token, entered it into the session and later compared it with the $_POST['token'] request. One now I need this functionality for github.pages. I found how to do the same using JS. But how and with what should I now compare this parameter in the php config?
<form class="" action="https://somewhere.com/form/form.php" method="POST" id="contact_form">
<input type="text" name="name" value="">
<input type="email" name="email" value="">
<input type="hidden" name="token" value="">
<a id="submitBtn" href="#"></a>
</form>
if($_POST['token']==?????){
//code
}
And is there a php analog of the bin2hex(random_bytes(32)) function in pure JS?
Upvotes: 2
Views: 314
Answers (1)
Reputation: 12867
While it might be technically possible, it wouldn't be secure, since the point of a csrf token is that you can prove the form is being submitted by the same client who requested it. So the server provides the client with a secret value, that is also stored encrypted in the session. If the client sends the right value, it is proof that they also requested the page. If the client (with JavaScript) generates the token, it can't prove anything.
Upvotes: 1
Related Questions
- how to generate and validate csrf tokens
- How to create a CSRF field for a form created with JS
- CSRF Token validation when processing
- Single use CSRF token generation and validation for cross server communication in PHP
- Send CSRF token to javascript
- CSRF protection in PHP
- CSRF protection with javascript?
- CSRF Token generation - PHP
- PHP CSRF Form token + validation advice
- How to Implement Generic CSRF Tokens with JQuery AJAX?