Securing PHP Applications Against Cross-Site Request Forgery (CSRF)
Understanding CSRF in PHP
CSRF exploits occur when a malicious website tricks a user's browser into submitting a request to a trusted site where the user is already authenticated. Since the browser automatically includes session cookies, the request appears legitimate to the server. Preventing CSRF requires validating the intent of the request by verifying it originates from the expected source.
PHP provides several mechanisms to mitigate CSRF attacks. The most effective include using anti-CSRF tokens, checking the Referer header, and leveraging built-in security features in frameworks like Laravel or Symfony.
Implementing CSRF Protection with Tokens
The standard method for defending against CSRF in PHP is to generate and validate unique tokens for each request. These tokens are stored in the session and matched against the submitted token in forms or API requests.
Here's how to implement CSRF protection using session-based tokens:
<?php
session_start();
// Generate a CSRF token if it doesn't exist
if (empty($_SESSION['csrf_token'])) {
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
// Display the form
?>
<form method="post" action="process.php">
<input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
<input type="text" name="username" placeholder="Username">
<input type="submit" value="Submit">
</form>In the processing script (process.php), validate the submitted token:
<?php
session_start();
if (
!isset($_POST['csrf_token']) ||
!isset($_SESSION['csrf_token']) ||
$_POST['csrf_token'] !== $_SESSION['csrf_token']
) {
die('Invalid CSRF token');
}
// Proceed with form processing
echo 'Form submitted securely.';This method ensures that only forms generated by the server can be submitted, effectively mitigating CSRF.
Using HTTP Headers for AJAX Requests
For AJAX requests, it's common to send the CSRF token in a custom HTTP header rather than a form field. This approach is particularly useful in single-page applications or SPAs.
Example using JavaScript (with jQuery):
$.ajaxSetup({
headers: {
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
}
});On the server side, validate the header:
<?php
session_start();
$token = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
if ($token !== $_SESSION['csrf_token']) {
http_response_code(403);
die('Invalid CSRF token');
}Comparing CSRF Protection Techniques
| Method | Pros | Cons |
|---|---|---|
| Token-based (session) | Secure, widely supported | Requires session handling |
| Referer header check | Easy to implement | Not always reliable (can be spoofed or missing) |
| SameSite cookie attribute | Built-in browser support | Not supported in older browsers |
| Custom headers | Works well for AJAX | Requires JavaScript |
Using a combination of these methods provides layered security. For example, using SameSite=Strict cookies in conjunction with CSRF tokens enhances protection against a wider range of attacks.
Best Practices for CSRF Protection
- Always regenerate CSRF tokens on each request or after a form submission to prevent token reuse.
- Set the
SameSiteattribute on session cookies toLaxorStrictto mitigate CSRF in modern browsers. - Use HTTPS to ensure tokens are transmitted securely.
- Avoid storing tokens in predictable formats (e.g., based on timestamps or usernames).
- Implement token expiration to limit the window of vulnerability.