I was trying to use the form key method for csrf protection here http://net.tutsplus.com/tutorials/php/secure-your-forms-with-form-keys/ . But it applies on 1 form on a page only . My question is
Suppose i have a form
<form action="action.php" method="post">
<!-- code here -->
</form>
and My php i'm using
<?php
if(isset($_POST['submit']) && isset($_SESSION['user']))
{
//do something
}
I'm already using session user to confirm he is logged in and and the form is being submitted by my site as session has been made on my site. Do i have to use csrf protection method too?
Do i have to use csrf protection method too?
Yes, because this is exactly why CSRF is dangerous; the cookies of a "victim" are unknowingly sent to the server to perform a particular action on behalf of the "hacker" when they submit a modified form on another site, disguised by a cute kitten photo (for example).
When the disguised form is submitted, your site can't tell the request apart from a legit one, because the authentication will be valid. Adding a CSRF token makes sure that the form was submitted from a page on your site.
When the session is created you also generate a CSRF token. This token is then used for all the forms on your site for the duration of the session; doing this prevents problems with having multiple tabs open at the same time.
Even if the form is copied from your page, including a CSRF token, that token would be stored in a session that doesn't belong to an authenticated user.