0

We're trying to secure our web site - is it possible for someone to bypass our site's requirement for cookies when submitting forms? We're trying to prevent cross site attacks. Thanks

Improve this question

1 Answer 1

Reset to default
1

I think you mean Cross Site Request Forgery (CSRF). This can be easily prevented with a special CSRF token in your form.

The token should be different every time the form gets displayed.

<?php $token = md5(time()); /* a simple attempt to generate a token */ $_SESSION['csrf_token'] = $token; ?>

Include it in your form.

<form> <input type="hidden" name="csrf_token" value="<?php echo $token ?>"> ... </form>

And verify it on the server on form submittion.

<?php $storedToken = $_SESSION['csrf_token']; unset($_SESSION['csrf_token']); if ($_POST['csrf_token'] == $storedToken) { ... } ?>

Make sure the token can only be used exactly once.

Also use SSL to improve security if not already in place.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks - What's to stop someone creating a bot that automatically takes the token and responds?
That's were captcha's are for and a different problem. Your concern was "cross site attacks". If a bot submits the form it's not cross site. Everyone with access to the form can submit it.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.