Frankie
Reputation: 2265
Is this all that needs to be done to prevent CSRF with PHP and Ajax?
I want to make sure I'm understanding and applying the token correctly to avoid CSRF?
My data line in my jQuery ajax request:
data:{ Id:getParameterByName("id"), Token:"<?php echo $csfrToken; ?>" },
My PHP check inside the file that handles the posted data:
if (isset($_SESSION['TOKEN']) && $_SESSION['TOKEN'] == $_POST['Token']) { }
Is there anything else I need to do with an ajax request. All I'm doing is creating a token on the page that contains the ajax request. I then post that created token to my ajax handler page and then check to make sure they are the same. Is there anything else that needs to be done?
Upvotes: 4
Views: 425
Answers (1)
Alex
Reputation: 34978
Looks good what you did. That is how Zend Framework's Zend_Form_Element_Hash does it for forms and this also applys to AJAX requests.
Upvotes: 1
Related Questions
- CSRF only needed for ajax
- Is my CSRF protection method secure?
- CSRF Codeigniter protection and AJAX call
- CSRF protection in depth
- CSRF and Ajax: Do I need protection?
- CSRF protection in PHP
- Protect APIs against CSRF?
- Preventing CSRF with tokens in a AJAX based application
- is this all i need to do to prevent csrf attacks with php and ajax?
- CSRF protection question