Download .zip |
Info | Example | View files (4) | Download .zip | Reputation | Support forum | Blog | Links |
Last Updated | Ratings | Unique User Downloads | Download Rankings | |||||
2019-01-10 (1 month ago) | Not yet rated by the users | Total: 129 This week: 5 | All time: 8,863 This week: 78 |
Version | License | PHP version | Categories | |||
formtoken 1.0.0 | Public Domain | 7 | PHP 5, Security |
Description | Author | |
This class can be used to generate and validate form tokens that are created dynamically via JavaScript and a server-side PHP script. |
Class FormToken This is a lightweight implementation of the dynamic Form Token strategy that helps to mitigate "screen scraper" automation and Cross-Site Request Forgeries (CSRF). More on the risks and attack methods can be found in these links: http://phpsecurity.org/ch02.pdf (Old but still useful) https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet It is axiomatic that today (2019) any web site of value should be using HTTPS protocols, and not HTTP. You must use HTTPS for the Form Token to provide meaningful safety. Most PHP installations will give you a data point, such as $_SERVER['REQUEST_SCHEME'] to test for HTTPS. You can rewrite any non-https requests, or simply discard these requests. It is also important to use the right PHP session management. If your PHP session data escapes into the wild it would be computationally trivial to extract the form token name and value, and these values could be inserted into an HTML form. Good info: http://php.net/manual/en/features.session.security.management.php PHP offers a built-in CSRF mitigation function, output_add_rewrite_var() but the effect is to place a hidden input control into the HTML forms. This leaves the script vulnerable to scraping. http://php.net/manual/en/function.output-add-rewrite-var.php To use Class FormToken, (1) Install the Class and require it in any PHP script that uses forms, (2) Install the server_FormToken.php script, (3) Follow the JavaScript/jQuery example shown in demo_FormToken. Originally published, with discussion, here: https://www.experts-exchange.com/articles/28802/ |
Files |
File | Role | Description |
---|---|---|
class_FormToken.php | Class | Class_FormToken source |
demo_FormToken.php | Example | Demonstration Script |
readme_FormToken.txt | Doc. | readme text file |
server_FormToken.php | Appl. | Server-side token generator |
Version Control | Unique User Downloads | Download Rankings | |||||||||||||||
0% |
|
|
Applications that use this package |
If you know an application of this package, send a message to the author to add a link here.