[security] Add CSRF token check #37

New Issue

Closed

opened 2019-02-23 06:26:01 +01:00 by mia · 1 comment

mia commented 2019-02-23 06:26:01 +01:00

Copy Link

CSRF check is important to protect webapps.

Webpage:

	1. send a session cookie
		$_SESSION['csrf'] = {random_generated_value};
	2. include the token to webpage's <FORM> ~ </FORM> area
		<input type="hidden" name="csrf" value="{random_generated_value}">

When the user POST data:

	if ($_POST['csrf'] != $_SESSION['csrf']) {
		echo('CSRF token mismatch!');
		$_SESSION['csrf'] = {random_generated_value};// send new value
		exit;
	}

CSRF check is important to protect webapps. ``` Webpage: 1. send a session cookie $_SESSION['csrf'] = {random_generated_value}; 2. include the token to webpage's <FORM> ~ </FORM> area <input type="hidden" name="csrf" value="{random_generated_value}"> When the user POST data: if ($_POST['csrf'] != $_SESSION['csrf']) { echo('CSRF token mismatch!'); $_SESSION['csrf'] = {random_generated_value};// send new value exit; } ```

albino commented 2019-02-24 17:50:47 +01:00

Owner

Copy Link

We have this already :-)

[We have this already](https://git.fuwafuwa.moe/.cyb/cyberman/issues/9) :-)

albino closed this issue 2019-02-24 17:50:47 +01:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

Labels

Clear labels   

bug

  

cleanup

  

feature

  

improvement

  

meta

  

security

  

UX

  

whois

No Label

bug

cleanup

feature

improvement

meta

security

UX

whois

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: .cyb/cyberman#37

No description provided.