0

I have a PHP application where pages are loaded using jQuery/ajax. My problem is, I need to include a per request ANTI CSRF Token.

To put it another way: When I make the first request, the token needs to be renewed for the next request. The problem is: How do I set the new token in the form's hidden field?

I kept a common hidden field for token and thought of changing its values. But the issue is: How do I set the new Token?

I can't do it in ajax. If the user itself is compromised then Token fails.

Here is the sample code

$key=md5(rand(1,9999).md5(date("Ymdhisu")).rand(1,9999));

$token=md5(getIpAddress().rand(1,9999).CM_SALT_CSRF);

$hash_key=$key.$token;

$hash_key=hash('sha512', $hash_key);

$session_key=$hash_key;

$_SESSION['CSRF_TOKEN']=$session_key;   

$_SESSION['KEY']=$key;

then I set $token in hidden field.

Now after I submit a request with TOKEN and after processing will generate and set a new CSRF Token. Since its in 2.0 how do I set the new token value to the hidden field ?

If I set the new token via requesting some page and JavaScript then it can also be done via CURL right ?.

Hope am I clear ???

EDIT 1

my scenario is, what if the user itself a hacker, created fake account using fake email id. then he/she can use curl request from localhost by forging referrer and other header fields to my site while he/she logged in my site in another tab. the user can able to get csrf token from the curl response !? correct me if am wrong.

Balamurugan G
  • 21
  • 1
  • 7
  • what have you tried so far? What do you know won't work? That may give us a better idea of what you are trying to achieve, and what the constraints are. – Will Palmer Sep 30 '12 at 14:01
  • Are you working against a standard or some other best practices document you could refer us to, where we can try to understand the scope of what is needed? A request can mean different things, in other words. – Jared Farrish Sep 30 '12 at 14:12
  • 2
    I guess ol' face.peck has left the scene. – Jared Farrish Sep 30 '12 at 14:35
  • Why do you need a CSRF token per page, and not just one per session? If you are doing ajax-request, you could easily replace the value in the hidden fields using jQuery based on the response. – Erlend Sep 30 '12 at 19:09
  • if i keep it one per session and if the user is compromised then user can make several request using the token isn't it ?, yes i can do it with jQuery response then it can also be done via CURL by a compromised site or user and can POST a reequest in a loop – Balamurugan G Oct 01 '12 at 07:13
  • Possible duplicate of [New CSRF token per request or NOT?](http://stackoverflow.com/questions/10466241/new-csrf-token-per-request-or-not) – Paul Sweatte Nov 22 '15 at 02:43
  • @PaulSweatte i don't think so, my scenario is, what if the user itself a hacker, created fake account using fake email id. then he/she can use curl request from localhost by forging referrer and other header fields to my site while he/she logged in my site in another tab. the user can able to get csrf token from the curl response !? correct me if am wrong. – Balamurugan G Nov 23 '15 at 05:01

0 Answers0