1

Topic: extension dev: xsrf/csrf

Hi

I'm working on an extension that takes user input and I want to make sure it is safe from XSRF/CSRF attacks. I understand punbb has its own methods to secure it from such attacks, is there any way I might use these or should I implement my own?

2

Re: extension dev: xsrf/csrf

You need to add a hidden field in the form of:

<input type="hidden" name="csrf_token" value="<?php generate_form_token(_your_url_identical_with_form_action_) ?>" />

Verification token will do the forum.
For example, look at viewtopic.php after 618 line

3 (edited by mrse0 2012-01-14 16:24)

Re: extension dev: xsrf/csrf

So this is actually for some AJAX GETs, is the theory the same?

(thanks for the response)

4

Re: extension dev: xsrf/csrf

This only for POST requests.
For GET request you need add token to get-string:

http://my.site/misc.php?csrf_token=<?php generate_form_token(_my_string_) ?>

And check $_GET['csrf_token'] manually:

if ($_GET['csrf_token'] != generate_form_token(_my_string_))
{
 die('error');
}

5

Re: extension dev: xsrf/csrf

gotcha, thanks!