Cross Site Request Forgery prevention helps from causing unwanted actions at trusted service using authentication status of logged user without their knowledge.
There are few ways to protect cross-Site-Request-Forgery,
- Synchronizer Token Patterns - We had discussed in previous tutorial
- Double Submit Cookies
- Encrypted Token Pattern
- HTTP referrer header
How do we defend?
In this tutorial we are supposed to learn about Double Submit CookiesIt is another way of defend against CSRF and here what we do is we generate random value and send it through HTTP request and cookie. Server checks if they are not matching, it will report CSRF attack.
Likewise we did in Synchronizer patterns CSRF Protection we take client side (index.php) and Server side (server.php) for this tutorials and continue with following steps,
In index.php (client side)=>
In index.php (client side)=>
- start session in client side
- after that set a cookie which stores session id of client and cookie duration. (here i have made it for 1 hour).
- after that create a token with store it in token variable and store it in a new cookie named as "cToken" as given below.
<?php
session_start();
$sessionID = session_id(); //storing session id
setcookie("user_login",$sessionID,time()+3600,"/","localhost",false,true);
$_SESSION['key']=bin2hex(random_bytes(32));
$token = hash_hmac('sha256',"token for user login",$_SESSION['key']);
$_SESSION['CSRF_TOKEN'] = $token;
setcookie("cToken",$token,time()+3600,"/","localhost",false,true);
?>
- then design a client page as follow and set value of hidden input field as token using "<?echo $token?>". (to send value to server side for validation)
<form method="POST" action="server.php">
<input type="text" name="user" placeholder="Username" required="required" />
<input type="password" name="pass" placeholder="Password" required="required" />
<input type="hidden" name="user_csrf" id="IdOfToken" value="<?php echo $token ?>" />
<button type="submit" name="submit">Login!</button>
</form>
---------------------
In server.php (Server side) =>
- start server side session
- create a validate function which takes username, password,user_token and sessionid as parameters.
It should validate :
-"user_csrf" token from hidden input field with "CSRF_TOKEN" which stored in session array.
-"user_login" sessionId from cookie array (that we already stored in a cookie) with current sessionid (using function session_id())
-and username password - when user clicks login button call the above function for the validation.
if token validation successful it will be redirected to the server page, if not it will show alertbox with appropriate message.
<?php
session_start(); //server session starts
if(isset($_POST['submit']))
{
validate($_POST['user'],$_POST['pass'],$_POST['user_csrf'],$_COOKIE['user_login']);
}
//validate
function validate($username, $password,$user_token,$user_sessionCookie)
{
if($username=="admin" && $password=="admin")
{
if($user_token==$_SESSION['CSRF_TOKEN'] && $user_sessionCookie==session_id())
{
echo "<script> alert('Logged in Successfully')</script>";
echo "<h1>Welcome : ".$username."<br/></h1>";
}
else
{
echo "<script> alert('Login failed! CSRFToken not matching!!') </script>";
echo "<script type=\"text/javascript\"> window.location.href='index.php';</script>";
}
}
else{
echo "<script> alert('Login failed!login again!!') </script>";
echo "<script type=\"text/javascript\"> window.location.href ='index.php';</script>";
}
}
?>
0 comments:
Post a Comment