Do I need a captcha for csrf protection?

S

Sergey Zhukov2015-11-18 13:52:46

PHP

Sergey Zhukov, 2015-11-18 13:52:46

Actually, can the bot also palm off csrf? Is it possible not to use captcha if there is csrf protection?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

Alexey Ukolov, 2015-11-18
@alexey-m-ukolov

csrf is the token you will pass in the response to the request. Therefore, a bot can also receive and use it.
Well, in general, it was not invented for these purposes.

S

Sergey, 2015-11-18
@goodwin74

I don't see the connection between csrf and captcha

S

Sergey Rogozhkin, 2015-11-18
@thecoder

csrf does not present any obstacles for the bot. For example, I can open a site through phantomjs and programmatically hit the submit button. All required fields and cookies will be in place.
Csrf is needed so that a user already logged in to you cannot perform actions in the background when visiting the left site. Those. went to a porn site, and he spammed tweets on the sly, because the user is already logged in on twitter. To avoid this, they generate a token when the original site is opened and bind it to the user session.