1
<?php
$_SESSION['csrf_token'] = md5(uniqid(rand(), true));
?>
<?php
$csrf1 = $_POST['csrf_token'];
$csrf2 = $_SESSION['csrf_token'];
if($csrf1 === $csrf2) {
//not executing
} else {
}
?>

javascript

var csrf = "<?php echo $_SESSION['csrf_token']; ?>";
var ajax = ajaxObj("POST", "index.php");
        ajax.onreadystatechange = function() {
          if(ajaxReturn(ajax) == true) {
              if(ajax.responseText != "success"){
        } else {
    window.location.replace("login.php");
        }
      }
    }
    ajax.send("csrf_token="+csrf);
  }
  return false;

So, here's some PHP from my code that generates a CSRF token, puts it in session, then checks whether the session value and the POST value are the same. The problem is, the if statement isn't executing. When I echo out the session token right before I send off the request using ajax, the session token is the same. I'm fairly sure that the session token is changing, and I am unsure why.

Edit: I added my javascript. I removed a lot from it, so I hope I didn't mess anything up on it.

Michael Blake
  • 993
  • 1
  • 8
  • 18
  • Is this code in a single PHP file (so all the code above gets executed sequently)? If so, from where should `$_POST['csrf_token']` come? – ComFreek Mar 26 '14 at 20:34
  • In addition to @ComFreek's comment, we need more code from you in order to figure out what's happening. If you can post the code you have for the form that's submitting this, and also any other relevant code, it would be highly helpful to us in finding the root cause – Kevin Pei Mar 26 '14 at 20:36
  • Do you update `$_SESSION['csrf_token']` on each request? – Gumbo Mar 26 '14 at 20:51
  • Let me update the code. – Michael Blake Mar 26 '14 at 20:55
  • @ComFreek Sorry, I never noticed your comment, but yes, it's a single PHP file, and I updated it, so you can see where $_POST['csrf_token'] comes from. – Michael Blake Mar 26 '14 at 23:38

3 Answers3

1

A very important piece of information OP failed to provide is that the request goes to the same script that makes his token. Therefore, what is happening is exactly what is supposed to happen. Here is a solution I provided to him on a different website.

<?php
if((isset($_SESSION['csrf_token'], $_SESSION['time']) && time() - $_SESSION['time'] > 60) || !isset($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = md5(uniqid(rand(), true));
    $_SESSION['time'] = time();
} 
?>
David Harris
  • 2,697
  • 15
  • 27
0
if($csrf1 === $csrf2) {

change so: if($csrf1 == $csrf2) {

ComFreek
  • 29,044
  • 18
  • 104
  • 156
Chris
  • 2,117
  • 13
  • 18
0

I would echo the contents and visually compare the two to check for identical values. For what it is worth, have you tried strcmp()?

if(strcmp($csfr1, $csfr2) == 0) {
    //Got a match
} else {
    //No match, look at the two strings for debug purposes.
    print("<pre> CSRF1: $csrf1 \n CSRF2: $csrf2 </pre>");
}
Crackertastic
  • 4,958
  • 2
  • 30
  • 37
  • Thank you for the help. I actually just tried this, and no matter what, it runs //got a match. Even when I change the POST value. – Michael Blake Mar 26 '14 at 21:04