5

I've got a submission form, with 9 fields, 6 of which require validation, including a upload field with file size and file type validation.

Generating a random token, to prevent CSRF is working, but what is the correct way to validate when using a token?

If I do the validation within the same file, the token is regenerated with the validation reload. (can this be prevented? I've tried isset() but still regenerates.) However using the same file prevents the users Name and Email from being stored in a session.

Is it best to do the validation within a separate file, which then redirects back to the form with basic variables in the URL for each error, i.e. http://www.example.com/form?n=1

Using a separate file would also mean storing the form data within session, so the form can be repopulated if errors exist on the redirect.

Any help gratefully received.

TimWolla
  • 31,849
  • 8
  • 63
  • 96
Chris Eagle
  • 53
  • 1
  • 1
  • 3
  • Those articles might help you: > [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29) > [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet) – Yves Lange Jan 27 '12 at 15:32
  • I found [this article by Chris](http://shiflett.org/articles/cross-site-request-forgeries) very good in explaining what CSRF is and how to protect yourself against it. – Alfred Jun 30 '11 at 10:54
  • Thanks for that, he has covered it slightly better than in the book. – Chris Eagle Jun 30 '11 at 11:30
  • `md5(uniqid(rand(), TRUE));` shouldn't be trusted for security contexts. https://stackoverflow.com/a/31683058/4357238 – Edward May 27 '17 at 20:25

1 Answers1

1

From experience, CodeIgntier does great CSRF implementation, among other security mesures. I would suggest that you go over their code to gain a good understanding of the whole process. Also see this.

Sukumar
  • 3,502
  • 3
  • 26
  • 29