• Unfortunately, we have experienced significant hard drive damage that requires urgent maintenance and rebuilding. The forum will be a state of read only until we install our new drives and rebuild all the configurations needed. Please follow our Facebook pagefor updates, or we will be back up shortly! (The forum could go offline at any given time due to the nature of the failed drives whilst awaiting the upgrades.)

[PHP] CSRF Protection

jur13n

Intelligent DoucheBag
Loyal Member
500 Posts 1000 Posts 10 Happy Years
Joined
Jan 5, 2008
Messages
1,698
Reaction score
288
PHP CSRF Protection.

Add this token (stored in the session) to each form and validate on each POST.

PHP: 
<?php

class HazeCSRF
{
	public static function setCSRFToken()
	{
		$session_id = session_id();
		$user_ip = $_SERVER['REMOTE_ADDR'];
		$time = time();

		$token = HazeHash::create($session_id.$user_ip.$time);

		HazeRequest::setSession('csrf_token', $token);
	}

	public static function encryptCSRFToken($method = "AES-256-CBC")
	{
		$advanced = HazeConfig::get('Advanced');
		$secret = $advanced['encrypt_salt'];

		if(!HazeRequest::getSession('csrf_token'))
		{
			self::setCSRFToken();
		}

		$iv_size = mcrypt_get_iv_size(MCRYPT_CAST_256, MCRYPT_MODE_CBC);
		$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);

		$encrypted = openssl_encrypt(HazeRequest::getSession('csrf_token'), $method, $secret, 0, $iv);
		return base64_encode($iv.$encrypted);
	}

	public static function decryptCSRFToken($token, $method = "AES-256-CBC")
	{
		$advanced = HazeConfig::get('Advanced');
		$secret = $advanced['encrypt_salt'];

		$token = base64_decode($token);
		
		$iv_size = mcrypt_get_iv_size(MCRYPT_CAST_256, MCRYPT_MODE_CBC);
		$iv = substr($token, 0, $iv_size);

		return openssl_decrypt(substr($token, $iv_size), $method, $secret, 0, $iv);
	}

	public static function isValid($csrf_token)
	{
		$token = self::decryptCSRFToken($csrf_token);

		if($token == HazeRequest::getSession('csrf_token'))
		{
			self::setCSRFToken();
			return true;
		}

		return false;
	}
}

I'll just leave it here.
Good luck.
 
You must log in or register to reply here.