0

I already found link/answer like this that explain how to generate a token and how to use it.

My website is using Smarty and has a lot of form already existing. I am trying to find a way to send a token inside the header of every request and catch all the request to verify the header.

e.g : In AngularJS, I can use $httpProvider.interceptors and headers['Authorization'] = 'Bearer ' + token;

I would like to create something like this

class Interceptor {
    $token;

    function __construct(type) {
        switch (type) {
            case 'beforeSending':
                $token = md5(uniqid(rand(), TRUE));
                $_SESSION['token'] = $token;
                $_SERVER['HTTP_authorization'] = 'Bearer ' +  $token;
                break;
            case 'beforeExecuting':
                if(hash_equals($_SESSION['token'], $_POST['token'])){
                    //continue
                }else{
                    //error redirect to homePage or logout
                }
                break;
        }
    }
}

This should add the token stored in the session to the header of every request.

This should also check if every request contain a correct token.

Is there a way to achieve this globally instead of adding an input to every form and checking every call ?

Community
  • 1
  • 1
Weedoze
  • 13,683
  • 1
  • 33
  • 63
  • Just assign a session-variable, and check for that session-variable on the pages you need to authenticate on? – junkfoodjunkie Mar 07 '17 at 09:20
  • I crate the Token when user log in and the token is stored as a session-variable. Now is there a way to check this token globally for every POST ? Instead of adding code to every pages ? – Weedoze Mar 07 '17 at 09:30
  • No. You will need to add session-checking to each processing file. – junkfoodjunkie Mar 07 '17 at 09:39
  • Could you please post an answer ? How can I check the token stored in the session ? With what can I check it ? I will accept your answer – Weedoze Mar 07 '17 at 09:44

1 Answers1

0

Well, there are several ways, but for the token to be properly vetted, a better solution would be to have it generated on login (via session), and then store it or push it via the forms (so you have something to match it to), or if the token itself isn't that important, just that it's there, check to see if a token exist before allowing the processing scripts to proceed.

There are several ways to do this, but as long as you create the session-token on login, and that is stored on the server, all you would need to do on the processing-scripts is something like this:

<?php
 //check to see if session is started
 if (!session_id()) { session_start(); };

 if (isset($_SESSION['token'])) {
   //process the rest of the form
 }
 ?>
junkfoodjunkie
  • 3,168
  • 1
  • 19
  • 33
  • Checking only if the token exists will not protect for CSRF I think – Weedoze Mar 07 '17 at 10:24
  • Neither will pushing the token via post. It's trivial to forge. But you can add a hidden input, and check that value, and combine it with checks of logged in users and such. – junkfoodjunkie Mar 07 '17 at 10:52
  • I recommend reading more here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet – junkfoodjunkie Mar 07 '17 at 10:55