One-time Form tokens
Thursday, 12 April 2007
What is a form token?
A form token provides protection against forms of attacks against your site (e.g.CSRF *), which allows a hacker to use your form in a way it wasn’t intended. The idea being that a form token appears as a hidden field that can only be used once.
How do you create one?
It should be a random key, which is longer than 5 characters, and ideally mixed case alphanumeric and non-alphanumeric characters that is then hashed using MD5 or SHA1 or similar hashing method with a salt *. The form token should only be able to be used for that session and that user.
How do you use it?
Before a sensitive action is performed for example buying a product, you check that the form token was sent correctly and matches the one you stored on the server for that user. If the token matches then the action is performed and the token cannot be used again, if it does not match the action will not be performed.