help desk
Cross Site Request Forgery (CSRF) | OWASP Foundation
https://owasp.org/www-community/attacks/csrf
The security::get_csrf_token()
and security::csrf_token_valid()
functions, located in the sed_spam
module, can be used to prevent CSRF attacks.
They enable the verification in form processing code that the parameters were truly sent by the HTML form, not by some external link.
The token returned by security::get_csrf_token()
is an encryption of the client's IP address, their sednove
cookie and a timestamp. The security::csrf_token_valid()
function verifies that it can decrypt the token using the same secret key. It also verifies that the retrieved IP address and sednove
cookie match that of the user currently logged in and that the timestamp is not expired.
Usage example:
<form> <input type="hidden" name="csrf_token" value="W7OEygWZGdSZCJBlxw27ftFshT3CAU6nGbYEEWQ88E35DVau31mZ4xBsErOIDVYxga4r72kSChANUvdAwxoL5xjGRl323dy8vJ0HShpuYwd-rPUR6uAg:SJLjGcv4Ldp6O09YikhTpUO13hypz3tnhzXGRRvqNZR0AtW7D54LS9NqpHjt:N4LOUeXbrzINKbOk:I2UMm1fIhIKgYCuHBEnjBLoO09gO1Yk5Y-Lf6HQCKPIYKq8wiQs:CmwQ="> <label>What is your name?</label> <input type="text" name="name"> <button type="submit">Submit</button> </form>
Répondu le : 0000-00-00 00:00:00