CSRF Cross-site request Forgery vulnerability issue

Recently in writing PHP, the project was written after the discovery of a loophole problem csrf, forced to drag my day, indulge in solving problems, chafanbusi not thinking, increasingly thin, time to catch up, this article is relatively rough, look under.

Okay, no more nonsense. Here are the solutions for today.

Bloggers Use the thinkphp framework, the first thing to find out about this problem is to check the relevant information, found that online said can be through the form of tokens to solve the problem.

If you do not set a form token, it is easy to cause csrf (cross-site request forgery), cross-site submission forms.

Form tokens are a very useful technique (BO main ps: In fact, the chicken), it generates random tokens in the view portion of the form, default to random MD5 strings, there is hidden input. Before the form data is submitted, the submitted data is compared with the tokens stored in the session to determine if it is a cross-site commit.

The way to open a form token in thinkphp is simple, configure it in config (the path of the blogger: Project/home/conf/config.php):

        ' token_on ' = =true,  //  whether to turn on token authentication    ' token_name ' = ' __hash__ ',    //  Token-Validated form-hidden field name    ' token_type ' = ' md5 ',  // token hash validation rule defaults to MD5    ' Token_reset ' = ' +true,  // token validation error after resetting the token defaults to True    

After adding the above code, you also need to configure a wave in the tags.php. PS: Some small partners no tags.php can create a new tags.php in the project/common/conf directory insert the following code

<? PHP return Array (    //' config item ' = = ' config value ' ='    view_filter ' = =array(' behavior\ Tokenbuildbehavior '),);

Then you can see it on all your form pages.

<value= "11f6b3285bf71a87811c3dadccb7b166_c6694a7c3a76bbf9ac7bf66a77d87310"/> This.

If you just want to add a form token to a form on a partial page, you can:

C (' token_on ',false); $this->display ();

After the configuration is complete, add the following code to the method where your form submission address points:

if (! $Data->autochecktoken ($_post)) {             $this->error (' Illegal landing! ');           }

The $data above is the model

It's written here today to write code.

CSRF Cross-site request Forgery vulnerability issue