I’m making a web game for fun with lots of forms that post data to php pages. What are some methods to preventing people from using their own web forms to post to my site?
My knowledge PHP is not too advanced. So, while I’ve been researching this topic, unfortunately the answers I’ve found have been confusing me a little. I found this SO question from earlier that addressed the issue: Secure ajax form POST. I’m a little confused by the first answer and was wondering if somebody could provide an example in PHP. Some specific points I’m struggling with are:
- how would you save a token somewhere on your server?
- how do you decide what that token should be?
- if somebody is on the website, can’t they just view the source and
see the token in the hidden input element and use that in their own
third party form?
Thanks for your help!
There are a number of CSRF prevention libraries you can use. One is CSRFGuard at OWASP
You may also wish to read the main CSRF page to understand the issues and the CSRF Prevention Cheat Sheet to understand the principles behind the implementation design.
If you’ve read up and understood the issues, it should be a simple job to add your own protection, if you wish to construct your own implementation.
Bear in mind that if you have any XSS vulnerabilities, your CSRF protection can be simply bypassed. So be sure to understand XSS Prevention also.