The token doesn't change; even after a page reload. I tried your code and ran it on localhost. Then I downloaded the page as HTML, opened it in the browser and ran it again. With success; no errors. After you have echo'ed your username, you should add "unset($_SESSION['key']);" to avoid people downloading the page as HTML to their localhost and then submitting it again and again. My point is (with all do respect) that your csrf protection is useless. Always unset sessions when they have done it's job.
if the action method is to another page, then the $csrf won't be echo out in the value right? That is the part where I don't understand because I thought you have to echo out the $_session in the form instead?
Hi, if i use constant for this protection, is still good? Example: define('ADAT', hash_hmac('sha256', 'text: index.php', $_SESSION['key'])); if($_POST) { $csrf_ajax = $_POST['csrf_ajax'];
I finally got it to work whey trying out your code on its own but now I need to figure out where it goes in my login form.... I have two forms on my main page, I don't know where to add it... I also followed what you did at the end of the tutorial by changing the session value to check to see if it is working and I got it to work... It said failed when I have the wrong token but how would I set it back to the real token to make it true?
can I use this code for ajax ? for example: I have index.html and there're I have ajax request which is done by Jquery, my url for php is another file (send.php)
Hi Senaid, big thanks for this tutorial and sharing informations. I have problems to understand the technic behind this method. After every page refresh the token is always the same. An attacker just need to visit the page and copy the token from the sourcecode into his faked form with hidden attribute, token name and token value. As long as the same session exists (max. 24 hours or until the browser was closed) he could use this token again and again to fire requests to my site. Does it make sense to generate a new token on every refresh and the token is available just for one request. Is this more safe? Best regards!
Sure, this solution right now is insecure. For example you can have different Submit field name, so that will skip the check. Also you are correct, you can copy and reuse the token (per page). What you really want is to bake into generation of the token something unique, like timestamp (let's say rounded to 5 minutes, so it is valid only for 5 min to mitigate the risk). That will work well even in cases where you are using JWT tokens, not just sessions. Another workaround is to re-enforce login of the user prior to the dangerous user action (transfer money, change e-mail, password, etc, which is security related and the attacker can gain control of the user account).
This looks great! I thought that it would be good enough to use htmlspecialchars and strip_tags but I didn't know that I have to use this! I have an undefined$csrf error but then I am trying to post it to another page.....
the best fundamental csrf tutorial I have ever ween
thank you
This was simple yet powerful. Thank you.
thank you!
Coding Passive. You guy ur the best in this thing. i salute u bro
Thank you !
Awesome, very simple and to the point! Great Job!!
Glad it was helpful!
the best tutorial for me so far, greetings from mexico .
Glad I could help :)
Fantastic job sharing this information and creating this tutorial.
Hvala! Jako koristan tutorial!
Nema na cemu :)
A good simple solution and good explanation.
Very good, I learn a lot form your videos
Lucian Constantin Nutu Awesome, I am so happy that I could help you. :D
The token doesn't change; even after a page reload. I tried your code and ran it on localhost. Then I downloaded the page as HTML, opened it in the browser and ran it again. With success; no errors.
After you have echo'ed your username, you should add "unset($_SESSION['key']);" to avoid people downloading the page as HTML to their localhost and then submitting it again and again. My point is (with all do respect) that your csrf protection is useless. Always unset sessions when they have done it's job.
amazing.. this video helps me so much. cheers dude
Glad I could help, cheers!
More security More power Good Tutorial 😎😎 I learned alot
absolutely, glad it was useful for you! :)
if the action method is to another page, then the $csrf won't be echo out in the value right? That is the part where I don't understand because I thought you have to echo out the $_session in the form instead?
Great tutorial. Thanks Senaid.
DA IG thank you so much
Do we need to echo out username what if I want to send something else? Newbie can someone explain?
Hi, if i use constant for this protection, is still good?
Example:
define('ADAT', hash_hmac('sha256', 'text: index.php', $_SESSION['key']));
if($_POST) {
$csrf_ajax = $_POST['csrf_ajax'];
if (hash_equals($_SESSION['key'], $csrf_ajax)) {
echo "OK!";
}else{
echo "NOT OK!";
exit;
}
I finally got it to work whey trying out your code on its own but now I need to figure out where it goes in my login form.... I have two forms on my main page, I don't know where to add it... I also followed what you did at the end of the tutorial by changing the session value to check to see if it is working and I got it to work... It said failed when I have the wrong token but how would I set it back to the real token to make it true?
Is it really necessary to use the pepper? h_mac?
Hello thanks for the tut, I would like to ask you to zoom the screen for future tutorials
Thank you for the feedback! Can you please tell me which part you find hard to see?
Is there a way to append the $csrf variable to the form action? such as something like this?
First name: But my url looks weird: csrf=%27.$csrf.%27
Post here entire line how you are trying to achieve it?
can I use this code for ajax ?
for example: I have index.html and there're I have ajax request which is done by Jquery, my url for php is another file (send.php)
lodi. simple and direct.
thank you :)
Hi Senaid, big thanks for this tutorial and sharing informations.
I have problems to understand the technic behind this method. After every page refresh the token is always the same. An attacker just need to visit the page and copy the token from the sourcecode into his faked form with hidden attribute, token name and token value. As long as the same session exists (max. 24 hours or until the browser was closed) he could use this token again and again to fire requests to my site.
Does it make sense to generate a new token on every refresh and the token is available just for one request. Is this more safe?
Best regards!
Sure, this solution right now is insecure. For example you can have different Submit field name, so that will skip the check. Also you are correct, you can copy and reuse the token (per page). What you really want is to bake into generation of the token something unique, like timestamp (let's say rounded to 5 minutes, so it is valid only for 5 min to mitigate the risk). That will work well even in cases where you are using JWT tokens, not just sessions. Another workaround is to re-enforce login of the user prior to the dangerous user action (transfer money, change e-mail, password, etc, which is security related and the attacker can gain control of the user account).
escape xss on username value using htmlspecialchars function ?
yes
i realy thank you bro, totaly helpful
teo invis thank you :)
This looks great! I thought that it would be good enough to use htmlspecialchars and strip_tags but I didn't know that I have to use this! I have an undefined$csrf error but then I am trying to post it to another page.....
Sorry sir, //start session //create a key for hash_hmac function //create csrf token //validate token.
Where do i write down these code in MVC ?
In methods inside a model and you call one function like $form->new(); from your controller.
I also don't know why I got a failed for my $csrf value.... How do you get this to work when sending a form to another page?
@Christian Delvianto thanks!
But wouldn't this generate two different tokens on page A and B and hence will always be different and therefore won't work with the form?
Very nice video sir
Thank you :)
What's is uses...How attacker attack without this?
why put html and php code on the same page? if you put it separate pages, would it work?
Yes, it will work. This is just what I prefer, it's not a must.
in this video, you generated token from server side. other videos, token was generated from client side. does it make a difference?
so the solution is to make each page have a token ?
can i use this via ajax?
Do you mean on making a protection on this way or something else?
How I achieve this in ajax jquery. ??
I don't understand how it is secure if the user can just do an inspect element and see the token?
It's for a reason: "Cross-Site" Request Forgery
A delovao si mi da imas nasu facu! Odakle si Senaide? ili je Senade?
Senaide je ispravno :), a inače sam iz BiH.
how can we expire csrf token?
Hmm, you can do something simple as storing some time in future to the session, and than each time check if now > future time.
Nice.
Thank you very much
How to use CSRF in REST API
Thank you :)
Thank you so much! Appreciate the support. :)
but simply anyone can grab the value from the response text of the http request !!
Nice and easy :)
thank you
It is my pleasure! :D
Which LAPTOP
Hmmm?
hi