Comments on: Cross-Site Request Forgeries (CSRF)

By: U238

U238 — Wed, 23 Jul 2008 20:00:46 +0000

Good tutorial , thnx bro.

By: Christopher

Christopher — Sat, 05 Jul 2008 13:16:11 +0000

Remember that the goal isn’t about creating a unique hash (though for all intents and purposes, it will be unique), the goal is to simply create a hash that is unguessable within the time the code is valid (say, 10 minutes).

While it is true that a random number and microtime isn’t 100% secure (for reasons that mt_rand() can be predicted under the right conditions), it is nevertheless a pretty good way. You can add a secret salt to the mix if you want more security.

By: Albert

Albert — Fri, 04 Jul 2008 20:49:06 +0000

You should use something like md5(uniqid(rand(0, 99999999), true)) to generate a unique token, because mt_rand(0, 1000) has just 1000 possibilities.

By: syshoLe.com » Blog Archive » CSRF Saldırıları ve Korunma (Bölüm 2)

syshoLe.com » Blog Archive » CSRF Saldırıları ve Korunma (Bölüm 2) — Mon, 03 Dec 2007 10:24:45 +0000

[...] http://devlog.info/2007/09/02/cross-site-request-forgeries-csrf/ [...]