Multiple Forms

**Brandin** · 06-25-2017, 12:54 PM

Hello,

I have multiple pages where I have several forms, all of which I have the token CSRF token obviously as this is the best practice - however, how do I go about ensuring all forms have the token on submit so the post doesn't die if one of the forms generates a different token?

Sorry if my description doesn't make sense, but I am sure you will understand.

Thanks!

faguss · 07-14-2017, 10:26 PM

Generate token once and make all forms use it.

firestorm · 07-15-2017, 06:56 AM

ive come across this issue many times and theres loads on stack about this too, if forms are behind login then its not so bad not to use, however i generally use one on 1 form on the page which is better than none

firestorm · 07-15-2017, 06:57 AM

i did see something about generating tokens per session which sounds ideal to me

firestorm · 07-15-2017, 11:20 AM

i done some looking into this and theres two systems worth looking at , the first is here which looks pretty outstanding :

https://github.com/mebjas/CSRF-Protector.../readme.md

and then theres the wordpress way which is based on session and user id, so one token per user per session which expires i believe after 12 or 24 hours

karsen · 07-15-2017, 02:56 PM

I've opted to go with moving the token check and generation to the header and echoing $token in each form. Most of my employees aren't too tech-savvy and will try to submit a form multiple times (or even order the same item for a customer several times), and it was easier for me to use the CSRF check already in place than to code checks to see if a form was already submitted.

In other projects though I've used something similar to the library that Firestorm posted above.

firestorm · 07-15-2017, 03:11 PM

@karsen has that not had any issue with invalid token errors? i.e multiple forms per page each with its own form submission?

karsen · 07-15-2017, 04:33 PM

Since I generate the token in the header, I can simply echo out $token in the forms so all forms use the same $token instead of Token::generate().

firestorm · 07-15-2017, 04:45 PM

argh i see, i'll give that ago, defo gonna look at the token class a little closer, i noticed its using
md5( uniqid() ) so I've changed the class a little,

currently it generates: `<input type="hidden" name="csrf" value="89f378ee3aa6812ace51c50ce5f24e8b">'

but if we change class to:

`class Token {
public static function generate(){
if (function_exists('mcrypt_create_iv')) { //checks if exists as deprecated from php7.1.0
return Session::put(Config::get('session/token_name'), bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)) );
} else {
return Session::put(Config::get('session/token_name'), bin2hex(openssl_random_pseudo_bytes(32)) );
}
}

public static function check($token){
$tokenName = Config::get('session/token_name');

if (Session::exists($tokenName) && $token === Session::get($tokenName)) {
Session::delete($tokenName);
return true;
}
return false;
}
}
'

it generates:

Code:
<input type="hidden" name="csrf" value="d400c97e10082978da1541ba27b3f4501d796116a2d466e49740038d30d56883">

which is far less predictable than uniqid()

karsen · 07-15-2017, 04:56 PM

Nice code, I've added the change to my project and crossed it off my to-do list (it's quite long!).

Login




Remember me Lost Password?