i want disable post request that sent from another url or software (CSRF attacks) and notice that : ( i don't want set csrf token input for my forms )
is accepted if i set csrf token in session after users login ? thanks
i want disable post request that sent from another url or software (CSRF attacks) and notice that : ( i don't want set csrf token input for my forms )
is accepted if i set csrf token in session after users login ? thanks
If you want to avoid CRSF, you don't have any good options. The $_SERVER['HTTP_REFERER']
variable is often set and usually corresponds to the website the request came from, so you could use it to block some foreign requests. However like all data coming from the browser, you cannot trust it without verification so it should not be considered secure. The docs say:
This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
CSRF checking is the best option to prevent foreign domains from making requests. You don't have to include it as an input on your forms if you don't want to; you can use cookies and headers instead:
1. When the user logs in, use PHP's setcookie
to store a token in cookies. Store a matching token in the user session, along with an expiration date
$token = '...'; //<- look up how to generate a good random token
$expire = time()+1800; //expire in 30 minutes
setcookie("XSRF-TOKEN", $token, $expire); /* expire in 1 hour */
$_SESSION['XSRF-TOKEN'] = ['token'=>$token, 'exp'=>$expire];
2. When your site makes a request, use Javascript to read the token from document.cookie
and set the header below with the exact same value:
X-XSRF-TOKEN: 43b7acd76d6....
If you're worried about having to update a big website, this is your best bet. You can instruct the browser to run a Javascript function whenever it's about to make an HTTP request. This function could read the cookie and set the header. Many frameworks will do this for you, but for vanilla JS, look at this resource.
3. Whenever your PHP script receives a request, first look for the value of this header, then compare it to what you saved in the user session. Remember to check for expiration!
$request_token = apache_request_headers()['X-XSRF-TOKEN']? : null;
$session_token = $_SESSION['XSRF-TOKEN'];
if($request_token===null) die('Token is missing');
if($session_token['exp'] < time()) die('Token has expired');
if($session_token['token']!==$request_token) die('Token is invalid');
//safe to continue. Repeat step 1 to set a fresh token
Only the domain that can read the XSRF-TOKEN
cookie will know what value to set in the header. Since browsers do not allow one domain to read cookies from another, this mechanism will protect you from requests of bad origin. And it keeps the csrf bits out of your forms as you asked.