0
I created a page, where I use the post method with Jquery for another, and return some calculations.
Trying to protect, I did the following on the page:
INDEX PAGE:
PHP
<?php
session_name('ola');
$secure = false;
$httponly = true;
ini_set('session.use_only_cookies', 1);
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
session_start();
$_SESSION['_token'] = hash('sha512', rand(100, 1000).time().'ola');
?>
HTML
<input type="hidden" name="token" value="<?php echo $_SESSION['_token']; ?>" />
JQUERY
$.post("php/infowindows.php", {token : $("[name=token]").val()}, function(d){
alert(d);
});
PAGE CALCULATIONS:
<?php
session_name('ola');
session_start();
if(!isset($_SESSION['_token']) or !isset($_POST['token']) or $_POST['token'] !== $_SESSION['_token']){
die("Erro, morri!");
}
session_regenerate_id();
?>
I saw some posts, so I decided to create my own code. Faced with this, it is possible to say that it is "preventing" against CSRF attacks?
basically yes.. protects but does not guarantee anything as the token can be seen in html code
– Daniel Omine
@Daniel let’s suppose that I encode the value of the Hidden input, and when I receive it on the other page, I encode the same as Session... That’s what you meant?
– abcd
It makes no difference the token being encrypted because it is possible to get the token just by reading the html ćodigo. But I’m not saying it’s not useful either. It’s always good to use... But in fact it is not necessary in this way because it is enough to identify if there is a session. You do not need to place a value in a Hidden field that is already in the session. Something safer is to mix with cookie and "recycle" Session id techniques. The idea is to hinder malicious or unauthorized actions.
– Daniel Omine
@Danielomine I think this view may be mistaken regarding the Ssion check. You say you are useful, I believe you have the following position: If I just check, I will have the following problem, the person opens a page and how is generated the
SESSION, if it opens the second page, can access it generate error, ie directly by the second it accesses the data. What do you think of this?– abcd
@Danielomine I’m here thinking, I will add a Ssion with the value of personal data from PC and browser... then compare on the other page, if different does not enter...
– abcd
It depends on how to implement (in the case of the token). The important thing is that there is a start point where it is mandatory for the user to start and then make the request. What I commented about the token being in an Hidden field is that it only makes it easier to circumvent because even a bot could read the Hidden field and send the requisition. Obviously, if you go straight to the "second page" where you receive the data, you will be issued an error due to the missing token. To dribble this just read automatically on the first page which token. With the token in hand just order. Drew?
– Daniel Omine
@Danielomine How would I do to not have the token, or prevent the bot from reading this?
– abcd
there are several techniques without captcha and very efficient to curb bots. One of the techniques is to execute a javascript process in the return of the request result. The logic here is that most bots do not interpret or render the page (html, css, js). In this return would be the final validation of the request. As a bot will not interpret the javascript of the return, the validation is not complete.. bingo! rsrs... anyway.. is just one of several techniques for cases where the use of captcha is not very feasible. We can say that it is a gambiarra, but it is efficient.
– Daniel Omine
There is a name for this process, you know some code I can analyze?
– abcd
CSRF Protection.
– Daniel Omine