Protection against CSRF part 2
Tuesday, 21 August 2007
Continuing from my previous post I have decided to provide demos of a lot of the techniques discussed. These techniques won’t make your site 100% secure but they will help reduce the risk of attack. Remember you need to protect against XSS and these techniques will not stop your site from being attacked with XSS.
I created the following techniques whilst investigating OpenID security and I found many sites do not even employ a form token for site requests. The code is currently being developed but I hope it provides a good base for improving the security of your site.
No. 1 — August 23rd, 2007 at 11:08 am
Source code to be released soon, any volunteers to test and improve it before release?
No. 2 — August 29th, 2007 at 9:13 am
Works fine in firefox 2.0.0.6. Looking good overall.
I guess the javascript token is created inside the server and stored in the user session?
No. 3 — August 29th, 2007 at 9:25 am
Hi Alexander
Yeah the server generates a PHP token based on the same code the client generates using javascript. The source code is available for the Javascript/PHP generation if you want to look how it works
http://www.thespanner.co.uk/2007/08/15/random-javascript-and-php-generation/