Protection against CSRF part 2

Continuing from my previous post I have decided to provide demos of a lot of the techniques discussed. These techniques won’t make your site 100% secure but they will help reduce the risk of attack. Remember you need to protect against XSS and these techniques will not stop your site from being attacked with XSS.

I created the following techniques whilst investigating OpenID security and I found many sites do not even employ a form token for site requests. The code is currently being developed but I hope it provides a good base for improving the security of your site.

CSRF Demos

3 Responses to “Protection against CSRF part 2”

  1. Gareth Heyes writes:

    Source code to be released soon, any volunteers to test and improve it before release?

  2. Alexander Waldmann writes:

    Works fine in firefox Looking good overall.

    I guess the javascript token is created inside the server and stored in the user session?

  3. Gareth Heyes writes:

    Hi Alexander

    Yeah the server generates a PHP token based on the same code the client generates using javascript. The source code is available for the Javascript/PHP generation if you want to look how it works