New CSRF token per request or NOT?

by

If you do it per form request – then you basically remove the ability for CSRF attacks to occur & you can solve another common issue: multiple form submission

In simple terms – your application will only accept form input if the user ASKED for the form prior to the submission.

Normal scenario:
User A goes to your website, and asks for Form A, is given Form A plus a unique code for Form A. When the user submits Form A, he/she must include the unique code which was only for Form A.

CSRF Attack scenario: User A goes to your website, and asks for Form A. Meanwhile they visit another “bad” site, which attempts a CSRF attack on them, getting them to submit for a fake Form B.

But your website knows that User A never asked for Form B – and therefore even though they have the unique code for Form A, Form B will be rejected, because they dont have a Form B unique Code, only a Form A code. Your user is safe, and you can sleep easy at night.

But if you do it as a generic token, lasting for an hour (like you posted above) – then the attack above might work, in which case you’ve not achieved much with your CSRF protection. This is because the application does not know that form B was never asked for in the first place. It is a generic token. The WHOLE POINT of CSRF prevention is to make each form token unique to that form

Edit: because you asked for more information:
1 – you dont have to do it per form request, you can do it per hour/session etc. The point is a secret value that is given to the user, and resubmiited on the return. This value is not known by another website, and thus cannot submit a false form.

So you either generate the token per request, or per session: 

// Before rendering the page:
$data['my_token'] = md5(uniqid(rand(), true));
$_SESSION['my_token'] = $data['my_token'];

// During page rendering:
<input type="hidden" name="my_token" id="my_token" value="<? php echo $_SESSION['my_token']?>" />

// After they click submit, when checking form:
if ($_POST['my_token'] === $_SESSION['my_token'])
{
        // was ok
}
else
{
          // was bad!!!
}

and because it is “per form” – you wont get double form submissions – because you can wipe the token after the first form submission!

More Related Contents:

  1. How to properly add cross-site request forgery (CSRF) token using PHP
  2. Post request in Laravel – Error – 419 Sorry, your session/ 419 your page has expired
  3. “The page has expired due to inactivity” – Laravel 5.5
  4. Do login forms need tokens against CSRF attacks?
  5. CSRF (Cross-site request forgery) attack example and prevention in PHP
  6. Laravel catch TokenMismatchException
  7. Codeigniter CSRF valid for only one time ajax request
  8. Is it possible to call a PHP function from js file? [duplicate]
  9. How do I get a YouTube video thumbnail from the YouTube API?
  10. Creating the Singleton design pattern in PHP5
  11. PHP file_get_contents() returns “failed to open stream: HTTP request failed!”
  12. Why is mysqli giving a “Commands out of sync” error?
  13. No input file specified
  14. How to best store user information and user login and password
  15. Array as session variable
  16. Day difference without weekends
  17. Delete element from multidimensional-array based on value
  18. What factors make PHP Unicode-incompatible?
  19. PHP namespace with Dynamic class name
  20. sending push notifications to multiple android devices using GCM
  21. Get the price of an item on Steam Community Market with PHP and Regex
  22. PHP try-catch blocks: are they able to catch invalid arg types?
  23. simplexml error handling php
  24. Use openssl_encrypt to replace Mcrypt for 3DES-ECB encryption
  25. Stored Procedures, MySQL and PHP
  26. When and where should I use session_start?
  27. the dreaded “Warning: imagecreatefromjpeg() : ‘/tmp/filename’ is not a valid JPEG file in /phpfile.php on line xxx”
  28. PHP array, Are array indexes case sensitive?
  29. PHP MySQL set Connection Timeout
  30. How can I implement OCR on a website using PHP? [closed]

Leave a Comment