I am new with this word “CSRF token”,How can I implement CSRF token in my php,by the way where this should be use I really don’t have idea on this.I just accidentally found this by browsing in google.so I immediately post question here,I know lots of sitepoint people here are familiar with this.
Sally opens the URL (again, usually hidden), and because the cookie is on Sally’s PC, the cookie gets sent as well, authenticating the request as if Sally had done so.
How does a session variable counteract that?
Sally logs in, which creates a session ID.
John has to send Sally the URL before the session expires, or it wont work anymore (because she’s logged out after X minutes, for example).
How does a CSRF Token counteract it?
Whenever Sally visits yourwebsite.com/doactionform.php, the page generates a unique token, and stores it somewhere (database most common). It also puts it into a hidden field of the form.
John sends Sally a URL to the processing page.
Sally opens the URL, but the processing page detects no token was passed, and rejects the action, even if Sally’s signed in.
If Sally did actually go to the form, fill it out, and hit the submit button, the processing page reads the token,verifies it against the database, erases the token from the database (thus preventing it from being reused!), and processes the action.
It’s a more server intensive system, obviously, which is why i asked what it is you’re using it for.