Okay, I know that we should generate a token pass it in a hidden field or something within the form and store the exact generated token into session; and when the user submit the form the token from the hidden field is matched with token stored inside the sessions and if it is matched then its a success. But my question is this, as far as remote login is concern, an user can remotely post data from other machine because if he inspect the post datas being sent, he would also grab the token. So how does it prevent remote login?
Asked
Active
Viewed 101 times
0
-
Unclear what you mean by "remote" in this context. Do you mean you want to limit a user to be able to login from a specific IP address? – avip Mar 19 '16 at 07:54
-
i want user to only login from my web-application.. and not using nay sort of loging may be using curl from another site – Shiva Acharjee Mar 19 '16 at 08:04
-
You can attempt to check the user-agent but that is easily spoofed. Outside of that, you can't guarantee a legitimate user will be using a web-browser. If you're worried about some type of bots or automatic tools hitting your web-app like that you can introduce a small delay in response from the form as well as a maximum number of tries. – avip Mar 19 '16 at 08:13
-
How about CAPTCHA, this should lower the risk for CSRF ?? specially using Google Recaptcha? – Shiva Acharjee Mar 19 '16 at 08:46
-
A CAPTCHA is a good idea as well to prevent bots. But that has nothing to do with CSRF, try reading [this](http://stackoverflow.com/questions/2581488/understanding-csrf), it may help – avip Mar 19 '16 at 09:00
-
captcha is one of the method to prevent csrf..CSRF Prevention without a Synchronizer Token..via "Chllenge Response".. – Shiva Acharjee Mar 19 '16 at 09:14