A Simple Method Of Protecting Against Csrf Attacks

A simple method to protect your web application against CSRF (cross-site request forgery) attacks is to generate and validate a unique token of some sort. This can help to prevent automated CSRF attacks. Basically, you will generate a unique token for the user, place it on the page, and then check the token to verify that its valid. You could implement this in just about any server side language, but here is a PHP example.

1. Generate Token and Place it Hidden on Page function getToken() { return hash(“sha256”, “your-random-salt” . userSesssionId()); } echo “<input type=’hidden’ name=’token’ value=’” . getToken() . “’ />”;

2. Check the Token to Validate Its Authenticity function validateToken() { // If we generate the token again, does it still match? return $_POST[“token”] == getToken(); } if (!validateToken()) trigger_error(“Invalid session token.”);

source: CSRF: It’s not trivial (lucb1e.com)

Written on August 21, 2013