I'm generating a form submission security token in software.
The idea is to generate a token as soon as the user arrives on the page hosting the form
Allow the user to fill in the form
And only if the token initialized as soon as the user landed on the page is the same as the one in an input field, then run the code, otherwise no
This is to avoid CSRF
Methodology
1: Create a function that generates a token | create a file: config.php
function RandomToken($length = 32){
if(!isset($length) || intval($length) <= 8 ){
$length = 32;
}
if (function_exists('random_bytes')) {
return bin2hex(random_bytes($length));
}
if (function_exists('mcrypt_create_iv')) {
return bin2hex(mcrypt_create_iv($length, MCRYPT_DEV_URANDOM));
}
if (function_exists('openssl_random_pseudo_bytes')) {
return bin2hex(openssl_random_pseudo_bytes($length));
}
}
function Salt(){
return substr(strtr(base64_encode(hex2bin(RandomToken(32))), '+', '.'), 0, 44);
}
$token = (RandomToken())."\n".Salt()."\n";
2: include config.php, in the file hosting the form
3: write the rules
if (isset($_POST['submit']))
{
session_start();
$_SESSION['t'] = $token;
if ( ($_SESSION['t'] === $_POST['csrf_token_p']))
{
/* write code if this is correct */
}else{
/* write code if this it's not correct */
}
}
4: write the form
<form action="page.php" method="post">
<input type="text" name="csrf_token_p" value="<?php echo $token ?>">
<input name="submit" value="modifica" type="submit">
</form>
error: I always get that the two tokens do not match. why?
source https://stackoverflow.com/questions/69337827/csrf-tokem-for-submit-form
Comments
Post a Comment