How to properly add cross-site request forgery CSRF token using PHP

Question

I am trying to add some security to the forms on my website. One of the forms uses AJAX and the other is a straightforward "contact us" form. I'm trying to add a CSRF token. The problem I'm having is that the token is only showing up in the HTML "value" some of the time. The rest of the time, the value is empty. Here is the code I am using on the AJAX form:

PHP:

if (!isset($_SESSION)) {
    session_start();
$_SESSION['formStarted'] = true;
}
if (!isset($_SESSION['token']))
{$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;

}

HTML

 <form>
//...
<input type="hidden" name="token" value="<?php echo $token; ?>" />
//...
</form>

Any suggestions?

User · Answer

Security Warning  md5 uniqid rand    TRUE   is not a secure way to generate random numbers  See this answer for more information and a solution that leverages a cryptographically secure random number generator    Looks like you need an else with your if   if   isset   SESSION  token            token   md5 uniqid rand    TRUE          SESSION  token      token        SESSION  token time     time      else        token     SESSION  token

User · Answer

For security code  please don t generate your tokens this way   token   md5 uniqid rand    TRUE      rand   is predictable uniqid   only adds up to 29 bits of entropy md5   doesn t add entropy  it just mixes it deterministically   Try this out   Generating a CSRF Token  PHP 7  session start    if  empty   SESSION  token             SESSION  token     bin2hex random bytes 32       token     SESSION  token      Sidenote  One of my employer s open source projects is an initiative to backport random bytes   and random int   into PHP 5 projects  It s MIT licensed and available on Github and Composer as paragonie random compat   PHP 5 3   or with ext-mcrypt   session start    if  empty   SESSION  token           if  function exists  mcrypt create iv                SESSION  token     bin2hex mcrypt create iv 32  MCRYPT DEV URANDOM          else             SESSION  token     bin2hex openssl random pseudo bytes 32             token     SESSION  token      Verifying the CSRF Token  Don t just use    or even      use hash equals    PHP 5 6  only  but available to earlier versions with the hash-compat library    if   empty   POST  token           if  hash equals   SESSION  token      POST  token                   Proceed to process the form data       else               Log this as a warning and keep an eye on these attempts             Going Further with Per-Form Tokens  You can further restrict tokens to only be available for a particular form by using hash hmac    HMAC is a particular keyed hash function that is safe to use  even with weaker hash functions  e g  MD5   However  I recommend using the SHA-2 family of hash functions instead   First  generate a second token for use as an HMAC key  then use logic like this to render it    lt input type  hidden  name  token  value   lt  php     echo hash hmac  sha256     my form php     SESSION  second token       gt     gt    And then using a congruent operation when verifying the token    calc   hash hmac  sha256     my form php     SESSION  second token     if  hash equals  calc    POST  token              Continue        The tokens generated for one form cannot be reused in another context without knowing   SESSION  second token    It is important that you use a separate token as an HMAC key than the one you just drop on the page   Bonus  Hybrid Approach   Twig Integration  Anyone who uses the Twig templating engine can benefit from a simplified dual strategy by adding this filter to their Twig environment    twigEnv- gt addFunction      new  Twig SimpleFunction           form token           function  lock to   null                if  empty   SESSION  token                         SESSION  token     bin2hex random bytes 32                              if  empty   SESSION  token2                         SESSION  token2     random bytes 32                             if  empty  lock to                     return   SESSION  token                              return hash hmac  sha256    lock to    SESSION  token2                          With this Twig function  you can use both the general purpose tokens like so    lt input type  hidden  name  token  value     form token         gt    Or the locked down variant    lt input type  hidden  name  token  value     form token   my form php         gt    Twig is only concerned with template rendering  you still must validate the tokens properly  In my opinion  the Twig strategy offers greater flexibility and simplicity  while maintaining the possibility for maximum security     Single-Use CSRF Tokens  If you have a security requirement that each CSRF token is allowed to be usable exactly once  the simplest strategy regenerate it after each successful validation  However  doing so will invalidate every previous token which doesn t mix well with people who browse multiple tabs at once   Paragon Initiative Enterprises maintains an Anti-CSRF library for these corner cases  It works with one-use per-form tokens  exclusively  When enough tokens are stored in the session data  default configuration  65535   it will cycle out the oldest unredeemed tokens first

User · Answer

CSRF protection

TYPES OF CSRF USAGE

IN FORM

<form>
   @csrf
</form>

or

<input type="hidden" name="token" value="{{ form_token() }}" />

META TAG

<meta name="csrf-token" content="{{ csrf_token() }}">

AJAX

$.ajaxSetup({
    headers: {
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
    }
});

SESSION

use Illuminate\Http\Request;

Route::get('/token', function (Request $request) {
    $token = $request->session()->token();

    $token = csrf_token();

    // ...
});

MIDDLEWARE

 App\Providers\RouteServiceProvider

<?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;

class VerifyCsrfToken extends Middleware
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        'stripe/*',
        'http://example.com/foo/bar',
        'http://example.com/foo/*',
    ];
}

User · Answer

The variable  token is not being retrieved from the session when it s in there

[php] How to properly add cross-site request forgery (CSRF) token using PHP

The answer is

Examples related to php

Examples related to security

Examples related to session

Examples related to csrf

Tags