Home/ Questions/Q 7711535
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T01:24:02+00:00

I read in more than one website about this method of protecting forms: I

  • 0

I read in more than one website about this method of protecting forms:

I add a hiddenfield:

<input type="hidden" name="token" value="<?php echo $token; ?>" />

the token is generated by:

$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;

I do understand that this code is virtually unbreakable due to it’s randomness.

What I don’t understand is: why they include the token in a hidden form field which can be viewed in the html source?

Could then a user save the form and copy the valid md5 token to a fake version of the form and submit it?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is designed to prevent CSRF.

    The point is not to stop Alice visiting Bob’s website, and then using the token to do bad things.

    It is to stop Charles’ website from using JavaScript to make Alice’s browser submit a form to Bob’s website and do bad things (with Alice’s credentials). (Charles won’t have a copy of the token to put in the form).

    • 0