Thursday, October 28, 2010

PHP XSRF Protection

This week I was in a training course which included how XSRF attacks work and how they can be relatively easily defended against.
I did a quick Google search for libraries which provide XSRF protection in a really simple way and came up empty. So I wrote one.

This class provides a simple method of protecting form submission from common Cross Site Request Forgery (XSRF) attacks.

Protection is accomplished by adding a randomised hidden field to forms that are checked when the form is processed. If the hidden field doesn't exist, or is modified then the request should be rejected.

The method used is stateless and does not require any session management to be used. This allows the request to be easily handled by a load balanced cluster of frontends that don't share session information.

Protection against replay attacks can also be provided using this same method, but requiring session local storage which makes this stateful, and requires distributed session management if multiple web servers are being used.

If you're interested, check out http://sites.dparrish.com/php-xsrf-protection for the code.