Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as
CSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike
cross-site scripting (XSS), which exploits the trust a user has for a particular site,
CSRF exploits the trust that a site has in a user's browser. The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have been authenticated.
CSRF protection can be configured through the security section in the applications config/config.php
file.
To enable CRSF protection, start by adding the token to your form:
// in plain HTML
<input type="hidden" name="<?php echo \Config::get('security.csrf_token_key');?>" value="<?php echo \Security::fetch_token();?>" />
// using the Form class
echo \Form::csrf();
// using a form instance, will also add a validation rule to forms fieldset
$form = \Form::forge();
$form->add_csrf();
To manually check if the form has been submitted by the client that requested the form :
// check if a form was submitted
if ($_POST)
{
// check for a valid CSRF token
if ( ! \Security::check_token())
{
// CSRF attack or expired CSRF token
}
else
{
// token is valid, you can process the form input
}
}