Results 1 to 3 of 3
  1. #1

    Protecting href from XSRF?

    I am coding a basic message board module for my site. To prevent XSRF, what I have been doing so far is using a time-sensitive session token hidden in an input on the reply forms is that is validated when the form is submitted. When viewing a thread, I have href links to delete and report posts that I would like to protect as well. I've read that putting the token as a GET parameter defeats the purpose of having any protection at all. Is this true? If so how do I protect these hrefs from XSRF since they aren't forms?

  2. #2
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    Just as a general principle you shouldn't be using a GET request to perform significant actions anyway. Clicking on a link should always lead to a confirmation page, which will be a POST form, and that can include your time-sensitive token. As a bonus, the moderator shouldn't wait long between clicking the "Delete" link and confirming so you can set a short expiry time for extra safety.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  3. #3
    Join Date
    Feb 2011
    Posts
    38
    When using a form with a unique string for verification, use $_POST. It looks nicer for the user. The string that is generated should be based on randomness (time is predictable). Then you can also use a secondary page or an ajax pop-up that has another form, asking if they want to continue.

    Without using forms, you'll have to use either session or cookie variables. Using cookies would be more insecure than session. On each page load, regenerate the users variable. Now, without a form it would have to be passed as a GET. When submitted, it could redirect them to a success page and then auto-redirect to the thread where it kills the GET var in the url on the success -> thread transition.

Similar Threads

  1. Password Protecting n bandwith protecting php script
    By TRG1995 in forum Hosting Software and Control Panels
    Replies: 7
    Last Post: 12-03-2010, 04:40 PM
  2. href link in DB output
    By internetking in forum Programming Discussion
    Replies: 3
    Last Post: 05-10-2010, 08:27 PM
  3. Button href problem
    By Daniel_G in forum Programming Discussion
    Replies: 1
    Last Post: 01-16-2007, 06:01 PM
  4. 'href' attribute help
    By Techie411 in forum Web Design and Content
    Replies: 1
    Last Post: 09-20-2004, 09:45 AM
  5. html question (href)
    By rrsnider in forum Hosting Security and Technology
    Replies: 6
    Last Post: 01-02-2002, 04:21 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •