0

In order to prevent CSRF attacks, I want to understand one thing. In my website I created $_SESSION['logged'] for a user, only when he login. When the user use my website, the $_SESSION['logged'] is exists, of course. I will explain what I want with some code.

This is the checkLogin.php, that checks if $_SESSION['logged'] is exists:

<?php

//checkLogin.php
session_start();
session_regenerate_id();

if( !isset($_SESSION['logged']) )
{
    die('You are not logged.');
}
else
{
    // do something like mysqli query...
    die('You are logged.');
}
?>

My question: If a logged user send a request to checkLogin.php not from my domain, the $_SESSION['logged'] will be setted or not? What the response will be:

die('You are not logged.');
or
die('You are logged.');

?

I checked that with cURL and the response is always: die('You are not logged.');

<?php
//test.php
session_start();
session_regenerate_id();

$url = "http://localhost/form.php";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_exec($ch);

?>

Despite that test, I want to be sure if any request to checkLogin.php not from my domain can somehow print die('You are logged.');

Thanks.

matan___4
  • 73
  • 1
  • 7
  • It has nothing to do with whether the request comes from a page which was on your domain or not. It depends on whether the request contains the relevant session cookie. If a session cookie matching the session of a logged-in user is sent in the request, then `$_SESSION['logged']` will be set in that session. In your cURL example, you haven't sent any kind of cookie header, so there is no chance of the request being associated with a logged-in session. See https://stackoverflow.com/a/1740900/5947043 for a simple description of how session tracking works. – ADyson Jul 01 '20 at 09:12
  • Nothing you have done here will mitigate CSRF attacks. A cURL client could imitate the browser by first submitting a login request, getting the response, including the session cookie, and then using that cookie to access other pages. A cookie, while intended to be used in a browser context, is actually just transmitted in a HTTP header, so any HTTP client (such as cURL) can use it. Equally, a fraudulent website could have a form on their site which posts to your site and - if the user is already logged into your site in the same browser - that postback would succeed. – ADyson Jul 01 '20 at 09:15
  • Using a CSRF token on your forms would prevent the latter kind of attack (i.e. a form on a fraudulent website). It could not guarantee to prevent access via another non-browser HTTP client (although it would make the process of submitting a valid form more complex), but then again that is not really a CSRF vulnerability - as long as the user has a legitimate login session, then there's no reason why they shouldn't be able to make requests using any client they wish. – ADyson Jul 01 '20 at 09:17
  • This is quite a simple guide to CSRF: https://blog.codinghorror.com/preventing-csrf-and-xsrf-attacks/ – ADyson Jul 01 '20 at 09:17

0 Answers0