Geek Answers Handbook

Preventing Hustening Exit from Unreliable Sources in PHP

I have an action on my site:

http://mysite.com/User/Logout

This will cause the current user to log out of his session. Since this is a simple GET request, an attacker can either create links to this page, or even put this link in the image attribute src, which will force users to log out. Anyway, I would like to keep the exit link simple without going too far, but at the same time I would like to be able to prevent the scenario described above.

Any ideas?

+5
source share
6 answers

, , CSRF:

  • . , "", ,

    <form action="/User/logout" method="post">
    <submit name="logout" value="Logout" />
    <input type="hidden" name="token" value="<?php echo getSessionToken(); ?>" />
</form>

    , POST , GET .

    php :

    if (getSessionToken(true) != $_POST['token']) {
    die('CSRF!');
}

    , getSessionToken :

    function getSessionToken($reset = false) {
    if (!isset($_SESSION['random_token'])) {
        $_SESSION['random_token'] = sha1(uniqid(mt_rand(), true));
    }
    $token = $_SESSION['random_token'];
    if ($reset) {
        unset($_SESSION['random_token']);
    }
    return $token;
}

    , , , , reset - ( ). , .

  • , . , , , - . , . , :

    <a href="/User/logout?token=<?php echo getSessionToken(); ?>">Logout</a>

    , . - .

OWASP CSRF Guidelines CSRF. , , ...

+5

GET ( - , GET, ), . POST . GET , . RFC 2616 9.1.

, GET RFC, , , XSRF. . ircmaxell .

+5

HTTP . , . !

0

/ ? # NONCE #, # NONCE # - , .

0

, - . , . , ..... , .

, cookie , http only cookie - PHP ( javascript cookie).

<?php
   session_start();
   if ($_GET['logout_valid']!==session_id()) {
       // handle invalid logout request
       exit;
   } else {
       $_SESSION=array();
       session_destroy();
   }
0

, , :

<?php

session_start();

function logoutButton($name = 'logout', $action = '/User/logout'){
$random_token = md5(uniq_id());
$_SESSION['csrf'] = $random_token;
$form = '<form ><input type="hidden" value="'. $random_token .'" name="' .$name. '"><input type="button" value="logout"><</form>';
return $form;
}

public static isValidRequest($name = 'logout'){
if(isset($_POST[$name]) && $_POST[$name] === $_SESSION['csrf']){
    return true;
}
return false;
}

}
?>


echo logoutButton();


if(isValidRequest()){
    //logout
}

Hope this is helpful to someone.

edit: Here is the class I created https://github.com/sahithvibudhi/PHP-CSRF-Protection-class

0
source

More articles:


All Articles