Using this:
function nonce($str,$expires){
return sha1(date('Y-m-d H:i',ceil(time()/$expires)*$expires).$_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'].$salt.$str);
}
Let's say I initialize my session_id after I log in, also generating a thumbprint, like this:
session_regenerate_id();
$_SESSION['thumbprint']=nonce(session_id().'thumbprint',86400);
And call these:
function valid_session(){
return ($_SESSION['thumbprint']==nonce(session_id().'thumbprint',86400));
}
function logged_in(){
return (valid_session()&&isset($_SESSION['user']['id'])&&isset($_SESSION['user']['typeid'])&&isset($_SESSION['user']['email']));
}
At the top of every page:
if(logged_in==false){//logout & redirect back to index}
With a thumbprint under such scrutiny do I even need to make tokens for each function call or is this implimentation sufficient to protect against CSRF?
::: 86400 is 24 hours which I realize is a long time. Is that too long to realy on a unique ID for?
::: When I say secure functions I mean functions could be secured by using the same nonce or a token.
Just use one-time tokens for form submissions. uniqid() is sufficient for this. Store the token in the session when you generate it, and include it in your form. Then on your form POST processing script, check to make sure the value posted is the value in the session.
All you're doing by generating thumbprints using stuff like $_SERVER['REMOTE_ADDR'] and such, is fundamentally breaking your application for people who use gateways (AOL is the canonical example).