How Can I Prevent CSRF Attacks in PHP, Specifically Using the Kohana Framework?

Preventing Cross-Site Request Forgery (CSRF) in PHP

Question: Can you elaborate on how to apply techniques mentioned in the Wikipedia article to prevent CSRF in PHP, specifically in the Kohana framework?

Answer:

To prevent CSRF in PHP, you can implement the following measures:

• Validate a one-time token in both GET and POST parameters. This token should be unique for each request and should expire after a short duration. A simple example of this in PHP is provided below:

// On the page requesting to delete a record
session_start();
$token = isset($_SESSION['delete_customer_token']) ? $_SESSION['delete_customer_token'] : "";
if (!$token) {
    // Generate and persist a new token
    $token = md5(uniqid());
    $_SESSION['delete_customer_token']= $token;
}
session_write_close();

// When actually performing the deletion
session_start();
// Validate the token
$token = isset($_SESSION['delete_customer_token']) ? $_SESSION['delete_customer_token'] : "";
if ($token && $_POST['token'] === $token) {
    // Delete the record
    ...
    // Remove the token after successful deletion
    unset($_SESSION['delete_customer_token']);
} else {
    // Log a potential CSRF attack
}
session_write_close();

• Check the HTTP Referer header. The Referer header contains the URL of the page that referred to the current page. If the Referer header does not match the expected value, it may indicate a CSRF attack.

In Kohana, you can retrieve the referrer URL using the Request::referrer() method. To ensure the referrer URL is legitimate, you can compare it to a trusted list of domains that are allowed to refer to your site.

By implementing these measures, you can help protect your PHP applications from CSRF attacks.

The above is the detailed content of How Can I Prevent CSRF Attacks in PHP, Specifically Using the Kohana Framework?. For more information, please follow other related articles on the PHP Chinese website!