Understanding CSRF in PHP

What is CSRF?

Cross-Site Request Forgery (CSRF) is a type of attack that deceives users into executing unwanted actions on a different site where they are authenticated. It occurs when a malicious website sends requests to another site on behalf of an authenticated user.

Why is CSRF a Concern?

CSRF attacks can lead to unauthorized actions such as:

• Changing account details.
• Making purchases.
• Sending messages or making posts on behalf of the user.

Key Concepts

Tokens: A common way to prevent CSRF attacks is by using tokens. A unique token is generated for each session or request and is embedded in forms. The server checks this token for every request to ensure it is valid.

Implementing CSRF Protection in PHP

Step-by-Step Example

1. Generate a CSRF Token
   • When a user accesses a form, generate a unique token and store it in the session.
2. Include the Token in Forms
   • Add the token as a hidden input field in your HTML forms.
3. Validate the Token on Submission
   • When the form is submitted, check if the token matches the one stored in the session.

session_start();
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
        // Process the form
    } else {
        // Token mismatch, possible CSRF attack
        die('Invalid CSRF token');
    }
}

<form method="POST" action="submit.php">
    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>">
    <!-- other form fields -->
    <input type="submit" value="Submit">
</form>

session_start();
if (empty($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}

Best Practices

• Always regenerate CSRF tokens after every successful form submission.
• Use HTTPS to safeguard against man-in-the-middle attacks.
• Implement CSRF protection on all actions that modify data.

Conclusion

CSRF is a serious security threat, but using tokens can effectively mitigate the risk. By incorporating CSRF protection in your PHP applications, you can help ensure that actions performed by your users are legitimate and authorized.