0

I'm new to PHP, so apologies if this is an amateur mistake. I am attempting to add a simple CSRF check for a basic contact form.

I am following the instructions under 8 Cross-site request forgery on this page: http://www.phpfreaks.com/tutorial/php-security

It passes security when the html page is refreshed, but the first time it does not. The error it provides the first time is: "Undefined index: token". So I guess it's somehow not writing the token to Session the first time?

Any assistance you can provide would be greatly appreciated. Thank you.

PHP to set up token called in the HEAD of HTML page with include:

<?php
function generateFormToken() {
    session_start();
    $_SESSION['token'] = uniqid(md5(microtime()), true);
}
?>

Form (simplified):

<?php generateFormToken(); ?>  
<form method="post" action="php/formsubmit.php">
   <fieldset>
      <!-- fields -->
      <input type="hidden" name="token" value="<?php echo $_SESSION['token'] ?>">
   </fieldset>
   <input type="submit" value="Submit" >
</form>

formsubmit.php:

<?php 
session_start();
$isToken = $_SESSION['token'];

if ($_POST['token'] !== $isToken) {
    die('Security failed');
} else {

... run validation etc.
Stu
  • 23
  • 4
  • You're missing a semicolon in your simplified form after the `$_SESSION['token']` part. Not sure if this was accidentally made during your simplification process. – Tobias Baumeister Jan 09 '16 at 00:15
  • @TobiasBaumeister - You don't need a semicolon if you only have one statement in a PHP-tag like he has. However, you should really check with: `if (session_status() == PHP_SESSION_NONE) { session_start(); }` when you start a session. – M. Eriksson Jan 09 '16 at 00:21
  • 1
    Make sure you're not producing ANY output before you call `generateFormToken()`. Check your PHP error log for "Headers already sent" warnings. See http://stackoverflow.com/questions/8028957/how-to-fix-headers-already-sent-error-in-php – Barmar Jan 09 '16 at 00:24
  • Thanks - I had missed it but it's still not working. – Stu Jan 09 '16 at 00:24
  • Thanks @barmar I am getting this error: Cannot send session cache limiter - headers already sent. What would constitute any output? – Stu Jan 09 '16 at 00:26
  • Output would be anything in the script before ` – Barmar Jan 09 '16 at 00:28
  • The warning message should contain the line number where the output started. Look at that line. Doesn't it explain all this in the question I linked to? – Barmar Jan 09 '16 at 00:29
  • 2
    It can be something silly as a whitespace after a php-closing tag in any file that's included before the generate-function. This is why it's recommended not have any closing PHP-tags in pure php-files – M. Eriksson Jan 09 '16 at 00:35
  • I thought I checked white space but the 'after a PHP tag' may have been the cause. It seems to be working now. With thanks for your help. – Stu Jan 09 '16 at 00:52
  • Try putting session_start(); outside the function at the top of the page inside the ` – Steve Jan 09 '16 at 06:31

0 Answers0