|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
Game Over! Smarty Rookie
Joined: 01 May 2019 Posts: 10
|
Posted: Wed May 22, 2019 10:56 am Post subject: CSRF Token (XSRF) for preventing CSRF attacks |
|
|
Hello dear friends.
I wanna to implement CSRF token to prevent CSRF (XSRF) attack.
Is there any specific way or I should do it manually?
I didn't find any global variables for this purpose.
I mean for example in Laravel Eloquent we use so I wanna know if Smarty has something like this? or any sample code? or etc?
Thanks a bunch |
|
Back to top |
|
AnrDaemon Administrator
Joined: 03 Dec 2012 Posts: 1785
|
Posted: Thu May 23, 2019 6:35 am Post subject: |
|
|
"csrf_token" is just a string.
CSRF itself, on the other hand, is a technology, not a finger snap.
You have to implement it from top to bottom, in your application, and certainly not in templating engine. And only then, when you have it implemented, you will pass a token to template to render on a webpage. |
|
Back to top |
|
Game Over! Smarty Rookie
Joined: 01 May 2019 Posts: 10
|
Posted: Sun May 26, 2019 9:19 am Post subject: Implementing CSRF token in Smarty |
|
|
I used these codes :
for PHP >= 7
Code: | // Generating CSRF Token in PHP 7
session_start();
if (empty($_SESSION['token'])) {
$_SESSION['token'] = bin2hex(random_bytes(32));
}
$token = $_SESSION['token']; |
and for PHP >= 5.3
Code: | // Generating CSRF Token in 5.3+
session_start();
if (empty($_SESSION['token'])) {
if (function_exists('mcrypt_create_iv')) {
$_SESSION['token'] = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
} else {
$_SESSION['token'] = bin2hex(openssl_random_pseudo_bytes(32));
}
}
$token = $_SESSION['token']; |
and for Verifying the CSRF Token
Code: | if (!empty($_POST['token'])) {
if (hash_equals($_SESSION['token'], $_POST['token'])) {
// Proceed to process the form data
} else {
// Log this as a warning and keep an eye on these attempts
}
} |
and in TPL file I used this input
Code: | <input name="token" type="hidden" value="{$smarty.session.token}"> |
for more information please check this link
AnrDaemon wrote: | "csrf_token" is just a string.
CSRF itself, on the other hand, is a technology, not a finger snap.
You have to implement it from top to bottom, in your application, and certainly not in templating engine. And only then, when you have it implemented, you will pass a token to template to render on a webpage. |
your forum doesn't have any "Thanks" button so I had to reply it
Thanks in advance sir. |
|
Back to top |
|
AnrDaemon Administrator
Joined: 03 Dec 2012 Posts: 1785
|
Posted: Sun May 26, 2019 11:34 am Post subject: |
|
|
I would pass the token explicitly, if I were you. And certainly not access the session storage directly from a template. |
|
Back to top |
|
Game Over! Smarty Rookie
Joined: 01 May 2019 Posts: 10
|
Posted: Sun May 26, 2019 12:20 pm Post subject: |
|
|
AnrDaemon wrote: | I would pass the token explicitly, if I were you. And certainly not access the session storage directly from a template. |
May I ask you why?
why not access session directly from template? please describe with detail.
Thanks in advance |
|
Back to top |
|
AnrDaemon Administrator
Joined: 03 Dec 2012 Posts: 1785
|
Posted: Mon May 27, 2019 8:03 am Post subject: |
|
|
1. Sessions are not related to templating. Passing entire session where you only need a single string - …
2. Sessions are not necessarily implemented as $_SESSION superglobal.
3. CSRF tokens are not necessarily related to sessions.
Overall, https://speakerdeck.com/jakzal/decoupling-from-the-framework |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|