File: readme_FormToken.txt

Recommend this page to a friend!
  Classes of Ray Paseur  >  Lightweight PHP Form Token Validation  >  readme_FormToken.txt  >  Download  
File: readme_FormToken.txt
Role: Documentation
Content type: text/plain
Description: readme text file
Class: Lightweight PHP Form Token Validation
Generate and validate form tokens served via AJAX
Author: By
Last change:
Date: 1 year ago
Size: 1,631 bytes


Class file image Download
Class FormToken

This is a lightweight implementation of the dynamic Form Token strategy
that helps to mitigate "screen scraper" automation and Cross-Site Request 
Forgeries (CSRF).  More on the risks and attack methods can be found in 
these links: (Old but still useful)

It is axiomatic that today (2019) any web site of value should be using
HTTPS protocols, and not HTTP.  You must use HTTPS for the Form Token to
provide meaningful safety.  Most PHP installations will give you a data
point, such as $_SERVER['REQUEST_SCHEME'] to test for HTTPS.  You can 
rewrite any non-https requests, or simply discard these requests.

It is also important to use the right PHP session management.  If your 
PHP session data escapes into the wild it would be computationally 
trivial to extract the form token name and value, and these values
could be inserted into an HTML form.  Good info:

PHP offers a built-in CSRF mitigation function, output_add_rewrite_var()
but the effect is to place a hidden input control into the HTML forms. 
This leaves the script vulnerable to scraping.

To use Class FormToken, 
(1) Install the Class and require it in any PHP script that uses forms,
(2) Install the server_FormToken.php script,
(3) Follow the JavaScript/jQuery example shown in demo_FormToken.

Originally published, with discussion, here:

For more information send a message to info at phpclasses dot org.