CSRF PHP Prevention Mechanism
I have read many articles about CSRF, almost all of them have the same
solution which is hidden tokens, so i wrote a code to prevent CSRF and i
tried hacking my own page afterwards but it didn't work, i would like to
know if my code is CSRF bulletproof, and if there is anyway around it.
i have four pages that has forms in them so in each page i would write the
following:
if (isset($_POST['submit'])){
// Check for CSRF token
if ($_SESSION['token'] === $_POST['token']){
// write to db
}else{
// CSRF attack has been detected
die("CSRF :<br>1: $_SESSION[token] <br> 2: $_POST[token]");
}
}else{
// assign CSRF prevention token
$form_token = md5((rand(1,89412) * 256 / 4).$date.time());
$_SESSION['token'] = $form_token;
}
?>
<form action='' method='post'>
<input type='hidden' name='token' value='<?echo $form_token;?>'>
would this method be enough to stop attackers from using CSRF on my website ?
Thanks alot.
No comments:
Post a Comment