Goto main content

help desk

How can I optimize my code to prevent Cross Site Request Forgery (CSRF)?

Asked on 2022-01-14 09:34:00

OFFICIAL ANSWER

Cross Site Request Forgery (CSRF) | OWASP Foundation

https://owasp.org/www-community/attacks/csrf

The security::get_csrf_token() and security::csrf_token_valid() functions, located in the sed_spam module, can be used to prevent CSRF attacks.

They enable the verification in form processing code that the parameters were truly sent by the HTML form, not by some external link.

The token returned by security::get_csrf_token() is an encryption of the client's IP address, their sednove cookie and a timestamp. The security::csrf_token_valid() function verifies that it can decrypt the token using the same secret key. It also verifies that the retrieved IP address and sednove cookie match that of the user currently logged in and that the timestamp is not expired.

Usage example:


 <form>
 <input type="hidden" name="csrf_token" value="W7OEygKUBNSDFaJp63OjGH2atwLiPPebCqi1CdMuT88vrcwYhFlr5Mt1-bcOPoTJstn1eKuWHMh8YC6FI04=">
 <label>What is your name?</label>
 <input type="text" name="name">
 <button type="submit">Submit</button>
 </form>
 
Answer by:
Pierre Laplante

Replied on: 0000-00-00 00:00:00