Login/Register
Cross site request forgery
Asked Answered
Solved phpcsrfcsrf-protection
C

1

5

I read this tutorial which gives a nice explanation to prevent CSRF but it is still going out from my brain. According to this tutorial in method one they are including a random token with each request. So in the form they have included something like this:

<input type="hidden" name="<?php echo $token_id; ?>" value="<?php echo $token_value; ?>"

and after submitting the form they are checking for whether the token is matching or not.

How is it helping in preventing CSRF?
I am confused when the attacker sends a malicious link to a user, and when the user clicks on it then according to me the token will match everytime.

Clint answered 5/5, 2014 at 15:24 Comment(4)
btw: Tokens are not the only way to prevent CSRF. It can be easier to use the origin header: wiki.mozilla.org/Security/OriginKaffiyeh
@Francois Thanks for pointing this out..i will try to dive into it :)Clint
@brasofilo thanks for editing it..you made it more readable..i will keep these edit areas in my mind so that the next time when i will ask for help i dont commit these mistakes again :)Clint
@shubham, honored to hear that :) Pro tip: use a browser spell checker, this way you improve your English and post questions with less mistakes. Good luck!Heres
C
8

The token in the page has to match the token stored in a cookie (or session).

The site that set the cookie knows what that token value is and can specify it in the form.

A third party attacker's site cannot know what that token value is, so can't specify it.

You test to see if the token in the cookie matches the one in the form data, if they don't you reject the request as CSRF.

Colugo answered 5/5, 2014 at 15:27 Comment(2)
Obligatory OWASP Link: owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)Feoff
@Colugo Thank you so much. your answer assured me that i was getting it correct. and it would be more fine if you can throw some light on the advantages of using this method or if you can suggest any other good way of securing script from CSRF.Clint

© 2022 - 2024 — McMap. All rights reserved.