Just wondering if requiring a hashed PHPSESSID to be sent to all forms or action scripts is enough for CSRF protection? I understand this can be obtained if the user’s are on the same physical network (firesheep). Example:
http://site.com/deleteMessage.php?mid=22&token=MD5ed_PHPSESSID
Disregarding the same network issue the PHPSESSID:
1) Is known only to the user doing the action
2) Can not be guessed by an attacker crafting a malicious img or request (<img src="http://site.com/deleteMessage.php?mid=22&token=I_DONT_KNOW_IT_:( )
3) Can not be pulled on the same site assuming no XSS vulnerabilities exist.
4) Can easily be pulled by the legitimate user (Javascript fills the form or GET var in the link)
Number 3 worries me, although I don’t have any XSS vulnerabilities that I’m aware of, as I htmlentities($string,ENT_QUOTES)ed everything, I do not like relying on assumptions. Is this sufficient CSRF protection or is there a better way?
No, you should use a token that is independent from the session ID. Just think of the case where an attacking site is able to obtain the victim’s session ID somehow (cf. session fixation and session hijacking) but isn’t able to use the session itself due to some additional session protection measures. Then it would still be possible to forge authentic requests as the token can be derived from the known session ID.
Just use a random token as everyone suggests.