× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Multiple Forms
#1
Hello,

I have multiple pages where I have several forms, all of which I have the token CSRF token obviously as this is the best practice - however, how do I go about ensuring all forms have the token on submit so the post doesn't die if one of the forms generates a different token?

Sorry if my description doesn't make sense, but I am sure you will understand.

Thanks!
  Reply
#2
Generate token once and make all forms use it.
  Reply
#3
ive come across this issue many times and theres loads on stack about this too, if forms are behind login then its not so bad not to use, however i generally use one on 1 form on the page which is better than none
  Reply
#4
i did see something about generating tokens per session which sounds ideal to me
  Reply
#5
i done some looking into this and theres two systems worth looking at , the first is here which looks pretty outstanding :

https://github.com/mebjas/CSRF-Protector.../readme.md

and then theres the wordpress way which is based on session and user id, so one token per user per session which expires i believe after 12 or 24 hours
  Reply
#6
I've opted to go with moving the token check and generation to the header and echoing $token in each form. Most of my employees aren't too tech-savvy and will try to submit a form multiple times (or even order the same item for a customer several times), and it was easier for me to use the CSRF check already in place than to code checks to see if a form was already submitted.

In other projects though I've used something similar to the library that Firestorm posted above.
  Reply
#7
@karsen has that not had any issue with invalid token errors? i.e multiple forms per page each with its own form submission?
  Reply
#8
Since I generate the token in the header, I can simply echo out $token in the forms so all forms use the same $token instead of Token::generate().
  Reply
#9
argh i see, i'll give that ago, defo gonna look at the token class a little closer, i noticed its using
md5( uniqid() ) so I've changed the class a little,

currently it generates: `<input type="hidden" name="csrf" value="89f378ee3aa6812ace51c50ce5f24e8b">'

but if we change class to:

`class Token {
public static function generate(){
if (function_exists('mcrypt_create_iv')) { //checks if exists as deprecated from php7.1.0
return Session::put(Config::get('session/token_name'), bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)) );
} else {
return Session::put(Config::get('session/token_name'), bin2hex(openssl_random_pseudo_bytes(32)) );
}
}

public static function check($token){
$tokenName = Config::get('session/token_name');

if (Session::exists($tokenName) && $token === Session::get($tokenName)) {
Session::delete($tokenName);
return true;
}
return false;
}
}
'

it generates:
Code:
<input type="hidden" name="csrf" value="d400c97e10082978da1541ba27b3f4501d796116a2d466e49740038d30d56883">


which is far less predictable than uniqid()
  Reply
#10
Nice code, I've added the change to my project and crossed it off my to-do list (it's quite long!).
  Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)