September 17, 2012

Cross-site request forgery (CSRF) Updated

Cross-site request forgery (CSRF) Updated

public function csrf_verify()
{
// If no POST data exists we will set the CSRF cookie
if (count($_POST) == 0)
{
return $this->csrf_set_cookie();
}
if((isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == "XMLHttpRequest") || isset($_SERVER['HTTP_REFERER']))
{
if(isset($_SERVER['HTTP_REFERER']))
{
$parse_url = parse_url($_SERVER['HTTP_REFERER']);
if($parse_url['host']!=$_SERVER['HTTP_HOST'] && !in_array($parse_url['host'], array('apps.facebook.com')))
{
$this->csrf_show_error();
}
else
{
//echo 'Safe';
//echo 'Host From: '.$parse_url['host'].'Host To: '.$_SERVER['HTTP_HOST'];
}
//pre($parse_url);exit;
}
}
else
{
// Do the tokens exist in both the _POST and _COOKIE arrays?
if(isset($_SERVER['HTTP_REFERER']))
{
$parse_url = parse_url($_SERVER['HTTP_REFERER']);
if($parse_url['host']!=$_SERVER['HTTP_HOST'] && !in_array($parse_url['host'], array('apps.facebook.com')))
{
if ( ! isset($_POST[$this->_csrf_token_name]) &&
! isset($_COOKIE[$this->_csrf_cookie_name]))
{
$this->csrf_show_error();
}
// Do the tokens match?
if (
(
isset($_POST[$this->_csrf_token_name])
&&
isset($_COOKIE[$this->_csrf_cookie_name])
)
&&
$_POST[$this->_csrf_token_name] != $_COOKIE[$this->_csrf_cookie_name])
{
$this->csrf_show_error();
}
}
}
// We kill this since we're done and we don't want to
// polute the _POST array
unset($_POST[$this->_csrf_token_name]);
// Nothing should last forever
unset($_COOKIE[$this->_csrf_cookie_name]);
$this->_csrf_set_hash();
$this->csrf_set_cookie();
log_message('debug', "CSRF token verified ");
return $this;
}
}

Last updated: March 19, 2014