I want to securely process a form data in a php project.
I found that it can be done in either with
current time based tokensorsession based tokens
I want maximum security. Which of this strategy is good?
Asked
Active
Viewed 573 times
1
-
1CSRF token security levels are simple, there's 'Not Using CSRF Tokens' [0%], then there's 'Using CSRF Tokens' [100%], and finally there's stressing out over the security of the security feature [100% + ulcers and hair loss] – Sammitch May 29 '14 at 16:43
-
@Sammitch Ah doesn't make sense to me :) – Rahil Wazir May 29 '14 at 16:57
-
http://stackoverflow.com/questions/10466241/new-csrf-token-per-request-or-not – Top Cat May 29 '14 at 17:00
-
I think [`mcrypt_create_iv( MCRYPT_DEV_URANDOM)`](http://us2.php.net/manual/en/function.mcrypt-create-iv.php) based is the best ;-) – inf3rno May 30 '14 at 01:00
1 Answers
1
You definitely don't want to use a token based purely on the current time (option 1). If everyone sees the same token, it's trivial for an attacker to request the "current" token himself (e.g., through his own server) and add use it in a CSRF attack.
Option 2 can't be attacked this way, since the attacker would need to be in the same session (however that's implemented) in order to get the right token.
guest
- 6,450
- 30
- 44