+- UserSpice (https://userspice.com/forums)
+-- Forum: Miscellaneous (https://userspice.com/forums/forumdisplay.php?fid=28)
+--- Forum: Off-topic Discussions (https://userspice.com/forums/forumdisplay.php?fid=10)
+--- Thread: Multiple Forms (/showthread.php?tid=611)
Pages:
1
2
Multiple Forms - Brandin - 06-25-2017
Hello,
I have multiple pages where I have several forms, all of which I have the token CSRF token obviously as this is the best practice - however, how do I go about ensuring all forms have the token on submit so the post doesn't die if one of the forms generates a different token?
Sorry if my description doesn't make sense, but I am sure you will understand.
Thanks!
Multiple Forms - faguss - 07-14-2017
Generate token once and make all forms use it.
Multiple Forms - firestorm - 07-15-2017
ive come across this issue many times and theres loads on stack about this too, if forms are behind login then its not so bad not to use, however i generally use one on 1 form on the page which is better than none
Multiple Forms - firestorm - 07-15-2017
i did see something about generating tokens per session which sounds ideal to me
Multiple Forms - firestorm - 07-15-2017
i done some looking into this and theres two systems worth looking at , the first is here which looks pretty outstanding :
https://github.com/mebjas/CSRF-Protector-PHP/blob/master/readme.md
and then theres the wordpress way which is based on session and user id, so one token per user per session which expires i believe after 12 or 24 hours
Multiple Forms - karsen - 07-15-2017
I've opted to go with moving the token check and generation to the header and echoing $token in each form. Most of my employees aren't too tech-savvy and will try to submit a form multiple times (or even order the same item for a customer several times), and it was easier for me to use the CSRF check already in place than to code checks to see if a form was already submitted.
In other projects though I've used something similar to the library that Firestorm posted above.
Multiple Forms - firestorm - 07-15-2017
@karsen has that not had any issue with invalid token errors? i.e multiple forms per page each with its own form submission?
Multiple Forms - karsen - 07-15-2017
Since I generate the token in the header, I can simply echo out $token in the forms so all forms use the same $token instead of Token::generate().
Multiple Forms - firestorm - 07-15-2017
argh i see, i'll give that ago, defo gonna look at the token class a little closer, i noticed its using
md5( uniqid() ) so I've changed the class a little,
currently it generates: `<input type="hidden" name="csrf" value="89f378ee3aa6812ace51c50ce5f24e8b">'
but if we change class to:
`class Token {
public static function generate(){
if (function_exists('mcrypt_create_iv')) { //checks if exists as deprecated from php7.1.0
return Session::put(Config::get('session/token_name'), bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)) );
} else {
return Session::put(Config::get('session/token_name'), bin2hex(openssl_random_pseudo_bytes(32)) );
}
}
public static function check($token){
$tokenName = Config::get('session/token_name');
if (Session::exists($tokenName) && $token === Session::get($tokenName)) {
Session::delete($tokenName);
return true;
}
return false;
}
}
'
it generates:
Code:
<input type="hidden" name="csrf" value="d400c97e10082978da1541ba27b3f4501d796116a2d466e49740038d30d56883">which is far less predictable than uniqid()
Multiple Forms - karsen - 07-15-2017
Nice code, I've added the change to my project and crossed it off my to-do list (it's quite long!).