Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

is putting token in URL secure to prevent CSRF attacks in PHP applications?

Tags:

url

php

token

csrf

get

I want to use a token to prevent CSRF attacks on my website (written with PHP). I've used it in forms and it works well. But logout link is not a form; It is only a hyperlink.
Is it secure if I put the token in the query string like this:

<a href="logout.php?token=9ae328eea8a72172a2426131a6a41adb">Logout</a>

If it has any problem, what is your suggestions and solutions ?

like image 264
Mohammad Saberi Avatar asked May 31 '14 05:05

Mohammad Saberi

2 Answers

I think one of main disadvantages of using CSRF-token in GET requests is possibility of incompetent user to easily disclose his token by copying a link with the token and paste it in some public content like a comment/post/etc... Also GET query parameters including CSRF-tokens usually logged by HTTP servers/proxies and it introduces another risk.

So I suggest you to implement CSRF-secure links using something like this:

<form name="logout" action="logout.php" method="post">
<input type="hidden" name="token" value="9ae328eea8a72172a2426131a6a41adb"/>
</form>
...
<a href="/nojs.html" onclick="document.logout.submit(); return false">Logout</a>
like image 136
dened Avatar answered Oct 17 '22 08:10

dened

Yes, if the CSRF token is 'unguessable' and validated: the approach is the same in both cases.

From Wikipedia's Cross-site Request Forgery - Prevention:

Web sites have various CSRF countermeasures available .. Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attacker's site cannot put the right token in its submissions.

It doesn't matter if the token is from a form value or a query string parameter1. An approach that prevents CSRF by including a token in forms is adaptable to (and valid for) hyperlinks2.

1 A MitM / proxy which can intercept a URL can just as easily intercept an HTML form. This is outside the scope of a standard CSRF attack or mitigiation of such. In such cases the CSRF token value is 'knowable' and system is not secure.

2 This assumes the token is a per-user (and time-sensitive) value. A simple HMAC hash of the Session ID should be sufficient in most cases.

like image 36
user2864740 Avatar answered Oct 17 '22 10:10

user2864740
Sign in to Comment

Related questions

How to convert json encoded PHP array to an array in Javascript? [duplicate]
Adding a custom vendor lib to Symfony2 autoload
PDO Return All Rows [duplicate]
How To Implement Multi Layered Architecture in PHP
PostgreSQL multiplication of columns
Why is my PHP file using MAMP not refreshing?
Including ACF in functions.php (WordPress)
How to take a photo and send to HTTP POST request with Android?
How to get UTF-8 format data through ajax
How to check if the current page is a plugin admin panel in wordpress
What is the return type of View::make in Laravel?
Display .docx (.doc) on Browser without downloading in php
Is there ever a need to use ampersand in front of an object?
Make jQuery AJAX Call to Specific PHP Functions
How to: validate the existence of a database relationship in Laravel 4?
Best practice for Laravel 4 + Zurb Foundation 5?
Transferred Laravel app to new server - not working
Enter key to submit Ajax form
Laravel-eloquent: Call to undefined method Illuminate\Database\Eloquent\Collection::where()
Exposing calendar as an iCal with subscribe option in PHP

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!