Did I secure the site correctly?

M

Mors Clamor2020-12-11 14:22:25

PHP

Mors Clamor, 2020-12-11 14:22:25

Hello! I implement authorization on the site and CSRF protection, and I'm not sure if I did it right.
Authorization:
In the database, the user has an authKey field, during authorization, an authKey cookie is created with the value of the field. authKey - a random string generated by a secure algorithm, 32 bytes. The cookie is not encrypted in any way - is this normal?

CSRF:
Creating a token

public function generateCSRF() {
        $strong = true;
        if (!isset($_SESSION["csrf"])) {
            $_SESSION["csrf"] = bin2hex(openssl_random_pseudo_bytes(32, $strong));
        }
        return $_SESSION["csrf"];
    }

Examination:

public function checkCSRF(string $csrf):bool {
        return $_SESSION["csrf"] == $csrf;
    }

Well, checkCSRF is used when checking the form, where this key is written as a hidden field
. Thanks in advance!

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

Dimonchik, 2020-12-11
@66demon666

you’re right
, most importantly, understand the idea,
but how will you understand - you’ll understand that it’s better to put csrf in JS code, it’s already more difficult for an attacker, and other bells and whistles,
well, the check is correct
, but have you inserted it IN ALL pages where it is needed?

C

catanfa, 2020-12-30
@catanfa

the described method is not protection against CSRF . An attacker can use JS to send a request to your site, and the browser will pass any cookies automatically, so the CSRF attack will succeed. Try it yourself. Usually the csrf token is a hidden form field that is generated each time unique and checked on the server. In this scenario, the attacker cannot know the value of this field, and accordingly the attack will fail.