The token doesn't change; even after a page reload. I tried your code and ran it on localhost. Then I downloaded the page as HTML, opened it in the browser and ran it again. With success; no errors. After you have echo'ed your username, you should add "unset($_SESSION['key']);" to avoid people downloading the page as HTML to their localhost and then submitting it again and again. My point is (with all do respect) that your csrf protection is useless. Always unset sessions when they have done it's job.
This looks great! I thought that it would be good enough to use htmlspecialchars and strip_tags but I didn't know that I have to use this! I have an undefined$csrf error but then I am trying to post it to another page.....
I finally got it to work whey trying out your code on its own but now I need to figure out where it goes in my login form.... I have two forms on my main page, I don't know where to add it... I also followed what you did at the end of the tutorial by changing the session value to check to see if it is working and I got it to work... It said failed when I have the wrong token but how would I set it back to the real token to make it true?
Hi, if i use constant for this protection, is still good? Example: define('ADAT', hash_hmac('sha256', 'text: index.php', $_SESSION['key'])); if($_POST) { $csrf_ajax = $_POST['csrf_ajax'];
if the action method is to another page, then the $csrf won't be echo out in the value right? That is the part where I don't understand because I thought you have to echo out the $_session in the form instead?
can I use this code for ajax ? for example: I have index.html and there're I have ajax request which is done by Jquery, my url for php is another file (send.php)
Hi Senaid, big thanks for this tutorial and sharing informations. I have problems to understand the technic behind this method. After every page refresh the token is always the same. An attacker just need to visit the page and copy the token from the sourcecode into his faked form with hidden attribute, token name and token value. As long as the same session exists (max. 24 hours or until the browser was closed) he could use this token again and again to fire requests to my site. Does it make sense to generate a new token on every refresh and the token is available just for one request. Is this more safe? Best regards!
Sure, this solution right now is insecure. For example you can have different Submit field name, so that will skip the check. Also you are correct, you can copy and reuse the token (per page). What you really want is to bake into generation of the token something unique, like timestamp (let's say rounded to 5 minutes, so it is valid only for 5 min to mitigate the risk). That will work well even in cases where you are using JWT tokens, not just sessions. Another workaround is to re-enforce login of the user prior to the dangerous user action (transfer money, change e-mail, password, etc, which is security related and the attacker can gain control of the user account).
This was simple yet powerful. Thank you.
thank you!
the best fundamental csrf tutorial I have ever ween
thank you
Fantastic job sharing this information and creating this tutorial.
Awesome, very simple and to the point! Great Job!!
Glad it was helpful!
the best tutorial for me so far, greetings from mexico .
Glad I could help :)
Coding Passive. You guy ur the best in this thing. i salute u bro
Thank you !
Hvala! Jako koristan tutorial!
Nema na cemu :)
A good simple solution and good explanation.
More security More power Good Tutorial 😎😎 I learned alot
absolutely, glad it was useful for you! :)
Very good, I learn a lot form your videos
Lucian Constantin Nutu Awesome, I am so happy that I could help you. :D
amazing.. this video helps me so much. cheers dude
Glad I could help, cheers!
The token doesn't change; even after a page reload. I tried your code and ran it on localhost. Then I downloaded the page as HTML, opened it in the browser and ran it again. With success; no errors.
After you have echo'ed your username, you should add "unset($_SESSION['key']);" to avoid people downloading the page as HTML to their localhost and then submitting it again and again. My point is (with all do respect) that your csrf protection is useless. Always unset sessions when they have done it's job.
Great tutorial. Thanks Senaid.
DA IG thank you so much
lodi. simple and direct.
thank you :)
Nice.
i realy thank you bro, totaly helpful
teo invis thank you :)
Very nice video sir
Thank you :)
This looks great! I thought that it would be good enough to use htmlspecialchars and strip_tags but I didn't know that I have to use this! I have an undefined$csrf error but then I am trying to post it to another page.....
Thank you very much
Hello thanks for the tut, I would like to ask you to zoom the screen for future tutorials
Thank you for the feedback! Can you please tell me which part you find hard to see?
Nice and easy :)
Do we need to echo out username what if I want to send something else? Newbie can someone explain?
I finally got it to work whey trying out your code on its own but now I need to figure out where it goes in my login form.... I have two forms on my main page, I don't know where to add it... I also followed what you did at the end of the tutorial by changing the session value to check to see if it is working and I got it to work... It said failed when I have the wrong token but how would I set it back to the real token to make it true?
A delovao si mi da imas nasu facu! Odakle si Senaide? ili je Senade?
Senaide je ispravno :), a inače sam iz BiH.
thank you
It is my pleasure! :D
Thank you :)
Thank you so much! Appreciate the support. :)
Hi, if i use constant for this protection, is still good?
Example:
define('ADAT', hash_hmac('sha256', 'text: index.php', $_SESSION['key']));
if($_POST) {
$csrf_ajax = $_POST['csrf_ajax'];
if (hash_equals($_SESSION['key'], $csrf_ajax)) {
echo "OK!";
}else{
echo "NOT OK!";
exit;
}
How to use CSRF in REST API
if the action method is to another page, then the $csrf won't be echo out in the value right? That is the part where I don't understand because I thought you have to echo out the $_session in the form instead?
can I use this code for ajax ?
for example: I have index.html and there're I have ajax request which is done by Jquery, my url for php is another file (send.php)
so the solution is to make each page have a token ?
Is it really necessary to use the pepper? h_mac?
What's is uses...How attacker attack without this?
but simply anyone can grab the value from the response text of the http request !!
how can we expire csrf token?
Hmm, you can do something simple as storing some time in future to the session, and than each time check if now > future time.
How I achieve this in ajax jquery. ??
I don't understand how it is secure if the user can just do an inspect element and see the token?
It's for a reason: "Cross-Site" Request Forgery
Is there a way to append the $csrf variable to the form action? such as something like this?
First name: But my url looks weird: csrf=%27.$csrf.%27
Post here entire line how you are trying to achieve it?
Sorry sir, //start session //create a key for hash_hmac function //create csrf token //validate token.
Where do i write down these code in MVC ?
In methods inside a model and you call one function like $form->new(); from your controller.
escape xss on username value using htmlspecialchars function ?
yes
Hi Senaid, big thanks for this tutorial and sharing informations.
I have problems to understand the technic behind this method. After every page refresh the token is always the same. An attacker just need to visit the page and copy the token from the sourcecode into his faked form with hidden attribute, token name and token value. As long as the same session exists (max. 24 hours or until the browser was closed) he could use this token again and again to fire requests to my site.
Does it make sense to generate a new token on every refresh and the token is available just for one request. Is this more safe?
Best regards!
Sure, this solution right now is insecure. For example you can have different Submit field name, so that will skip the check. Also you are correct, you can copy and reuse the token (per page). What you really want is to bake into generation of the token something unique, like timestamp (let's say rounded to 5 minutes, so it is valid only for 5 min to mitigate the risk). That will work well even in cases where you are using JWT tokens, not just sessions. Another workaround is to re-enforce login of the user prior to the dangerous user action (transfer money, change e-mail, password, etc, which is security related and the attacker can gain control of the user account).
I also don't know why I got a failed for my $csrf value.... How do you get this to work when sending a form to another page?
@Christian Delvianto thanks!
But wouldn't this generate two different tokens on page A and B and hence will always be different and therefore won't work with the form?
why put html and php code on the same page? if you put it separate pages, would it work?
Yes, it will work. This is just what I prefer, it's not a must.
in this video, you generated token from server side. other videos, token was generated from client side. does it make a difference?
can i use this via ajax?
Do you mean on making a protection on this way or something else?
Which LAPTOP
Hmmm?
hi