How to Handle CSRF Security Token on Multiple Pages

Question

I have a user discussion website. There are so many threads on my website. When Some User Opens a thread a CSRF Security token is being generated to be used in the comment form

    if (!isset($_SESSION['token'])) {
       $token = md5(uniqid(rand(), TRUE));
       $_SESSION['token'] = $token;
       $_SESSION['token_time'] = time();
    }
    else
    {
       $token = $_SESSION['token'];
    }

I am using this security token in comment form like this

<form action="comment.php" method="post">
<input type="hidden" name="token" value="<?php echo $token; ?>" />
<input type="text" name="comment_body" value="" />
</form>

and at the receiving end

if ($_POST['token'] == $_SESSION['token']){ 

   /* Valid Token */

}

Now, the Problem is, If The User Opens More than one threads (pages) the value in the $_SESSION['token'] will be the value generated from the last page and all the previously opened pages will lose the $token value in the $_SESSION['token']. So, If user tries to post comments from previously opened pages, he will be failed.

What is the solution for this problem?

You generate a token once once when you setup a fresh session on the server. If that is not safe enough you generate a token for each request, but store them all in an array. Then you need an additional request identifier to verilfy if the provided token has indeed been handed out to that specific form. — arkascha, Apr 28 '13 at 10:44

How to Handle CSRF Security Token on Multiple Pages

0 Answers0