Goto main content

help desk

Comment puis-je optimiser mon code pour empêcher le Cross Site Request Forgery (CSRF) ?

Posé le 2022-01-14 09:34:00

RÉPONSE OFFICIELLE

Cross Site Request Forgery (CSRF) | OWASP Foundation

https://owasp.org/www-community/attacks/csrf

The security::get_csrf_token() and security::csrf_token_valid() functions, located in the sed_spam module, can be used to prevent CSRF attacks.

They enable the verification in form processing code that the parameters were truly sent by the HTML form, not by some external link.

The token returned by security::get_csrf_token() is an encryption of the client's IP address, their sednove cookie and a timestamp. The security::csrf_token_valid() function verifies that it can decrypt the token using the same secret key. It also verifies that the retrieved IP address and sednove cookie match that of the user currently logged in and that the timestamp is not expired.

Usage example:


 <form>
 <input type="hidden" name="csrf_token" value="W7OEygWZGdSZCJBlxw27ftFshT3BBU:oHLUIEWQ88E2W9sw9P7QbTOySM1rzuiAUY:LerT1LCbjjlqABMKgRKw==">
 <label>What is your name?</label>
 <input type="text" name="name">
 <button type="submit">Submit</button>
 </form>
 
Réponse de:
Pierre Laplante

Répondu le : 0000-00-00 00:00:00