how to cross site request forgery attack in php

Question

I have read many post on Stackoverflow.com on how to prevent any CSRF attack. The solution I found here seems not to be the way i want to go with it. Here is the stackoverflow.com answer from the links below for someone who is trying to delete a record while ensuring that CSRF attack is not possible.

preventing csrf in php

confirm.php

<?php
 session_start();
 $token= md5(uniqid());
 $_SESSION['delete_customer_token']= $token;
 session_write_close();
?>
<html>
<body>
<form method="post" action="confirm_save.php">
 <input type="hidden" name="token" value="<?php echo $token; ?>" />
Do you really want to delete?
<input type="submit" value=" Yes " />
<input type="button" value=" No " onclick="history.go(-1);" />
</form>
</body>
</html>

Then when it comes to actually deleting the record:

confirm_save.php

<?php
 session_start();
 $token = $_SESSION['delete_customer_token'];
 unset($_SESSION['delete_customer_token']);
 session_write_close();
 if ($token && $_POST['token']==$token) {
   // delete the record
 } else {
   // log potential CSRF attack.
 }
?>

I do not want to use the above script since the token is passed in a hidden form won't an attacker access it by opening it with firebug. This is my own concept using users login session data $_session['uid'] and session_regenerate_id();. with the code below am I still vulnerable to CSRF attack...

<?php
Assuming user is logged in and session has been initialized..
$session_start();

//Regenerate Session Id to ensure that Session Fixation Attack is not Possible...

session_regenerate_id();

$user_session = $_session['uid'];

 if (!$user_session=='') {
   // update the record
 } else {
   // there is CSRF attack.
 }

?>

The solution that you have referenced also uses sessions. It generates a token, saves it to session, and _then_ populates the hidden field. On submit, the submitted token value is then verified against the session value. — Patrick Q, Mar 30 '18 at 15:48
@patrick am asking checking only users session data and implementing session_regenerate _id() in my script as I have posted. Will I still be vulnerable to CSRF attack — chinazaike, Mar 30 '18 at 15:57
But the whole basis of your question is based on faulty logic. The solution that you referenced is not as insecure as you seem to think it is. "won't an attacker access it by opening it with firebug" This is irrelevant since the token is _also_ saved in session. Why recreate the wheel when there is already a good way to do this? — Patrick Q, Mar 30 '18 at 16:03

score 0 · Accepted Answer · answered Jul 20 '19 at 06:52

0

I realized best bet was still to use md5() hash function as stated above and generate a new token on each page reload. Passing the token in hidden form is stilled secured. Thanks

<?php
 session_start();
 $token= md5(uniqid());
?>

answered Jul 20 '19 at 06:52

chinazaike

517
6
19

how to cross site request forgery attack in php

1 Answers1