I currently have these 2 functions, one for generating token and one for checking the validity:
function getToken() {
if(isset($_SESSION['token'])) {
return $_SESSION['token'];
} else {
$token = //random key generator goes here;
$_SESSION['token'] = $token;
return $token;
}
}
function validateToken($token) {
if ($token == getToken()){
return true;
} else {
return false;
}
}
And my registration form includes this hidden input:
<input type="hidden" name="token" value="<?php echo getToken(); ?>">
Is this safe? I'm asking because what if session of legit user expires and then they get CSRF'd to this register form and token gets generated by the malicious site/iframe itself because one didn't already exist in the session, therefore authenticating just fine?
Assume that user stays logged in because of cookies.
Am I understanding things wrongly here? Can't remote linking like iframes generate sessions in your backend?