Cross Site Request Forgery (CSRF) | OWASP Foundation
https://owasp.org/www-community/attacks/csrf
The security::get_csrf_token() and security::csrf_token_valid() functions, located in the sed_spam module, can be used to prevent CSRF attacks.
They enable the verification in form processing code that the parameters were truly sent by the HTML form, not by some external link.
The token returned by security::get_csrf_token() is an encryption of the client's IP address, their sednove cookie and a timestamp. The security::csrf_token_valid() function verifies that it can decrypt the token using the same secret key. It also verifies that the retrieved IP address and sednove cookie match that of the user currently logged in and that the timestamp is not expired.
Usage example:
<form> <input type="hidden" name="csrf_token" value="W7OEygWZGdSZCJBlxw27ftFshT-AAkmkFbYLEWQ88E3MpV7badIxhXHSLM3BoNhZ0zhy4EmWV2R7q7hZpN4="> <label>What is your name?</label> <input type="text" name="name"> <button type="submit">Submit</button> </form>
Replied on: 0000-00-00 00:00:00