One-time Form tokens
Thursday, 12 April 2007
What is a form token?
A form token provides protection against forms of attacks against your site (e.g.CSRF *), which allows a hacker to use your form in a way it wasn’t intended. The idea being that a form token appears as a hidden field that can only be used once.
How do you create one?
It should be a random key, which is longer than 5 characters, and ideally mixed case alphanumeric and non-alphanumeric characters that is then hashed using MD5 or SHA1 or similar hashing method with a salt *. The form token should only be able to be used for that session and that user.
How do you use it?
Before a sensitive action is performed for example buying a product, you check that the form token was sent correctly and matches the one you stored on the server for that user. If the token matches then the action is performed and the token cannot be used again, if it does not match the action will not be performed.
No. 1 — September 7th, 2007 at 8:48 am
Hello,
It sounds like a good solution. It would be good for me but I have systems where its an issues to store server state. I try and operate with a REST model trying to ensure that there is little to no state at the server. Using cookies where possible for logins. Is it impossible to protect against this sort of attack without relying on server state?
Thanks
No. 2 — September 7th, 2007 at 9:10 am
Hi Joseph
If you only used cookies then it would be possible for an attacker to perform any action on your behalf by including an iframe on their site and forcing you to do an action.
Form tokens are not the only method you can use, I’ve done a newer post which explains various techniques:-
http://www.thespanner.co.uk/2007/08/21/protection-against-csrf-part-2/
If you randomise the URL on every login this can be a good way of protecting against CSRF but check out the examples above to see which is best for you.