Smarty Forum Index Smarty
The discussions here are for Smarty, a template engine for the PHP programming language.

CSRF Token (XSRF) for preventing CSRF attacks

 
Post new topic   Reply to topic    Smarty Forum Index -> General
View previous topic :: View next topic  
Author Message
Game Over!
Smarty Rookie


Joined: 01 May 2019
Posts: 8

PostPosted: Wed May 22, 2019 10:56 am    Post subject: CSRF Token (XSRF) for preventing CSRF attacks Reply with quote

Hello dear friends.

I wanna to implement CSRF token to prevent CSRF (XSRF) attack.
Is there any specific way or I should do it manually?

I didn't find any global variables for this purpose.
I mean for example in Laravel Eloquent we use
Code:
{{ csrf_token() }}
so I wanna know if Smarty has something like this? or any sample code? or etc?


Thanks a bunch
Back to top
View user's profile Send private message
AnrDaemon
Administrator


Joined: 03 Dec 2012
Posts: 1583

PostPosted: Thu May 23, 2019 6:35 am    Post subject: Reply with quote

"csrf_token" is just a string.
CSRF itself, on the other hand, is a technology, not a finger snap.
You have to implement it from top to bottom, in your application, and certainly not in templating engine. And only then, when you have it implemented, you will pass a token to template to render on a webpage.
Back to top
View user's profile Send private message
Game Over!
Smarty Rookie


Joined: 01 May 2019
Posts: 8

PostPosted: Sun May 26, 2019 9:19 am    Post subject: Implementing CSRF token in Smarty Reply with quote

I used these codes :

for PHP >= 7
Code:
// Generating CSRF Token in PHP 7
session_start();
if (empty($_SESSION['token'])) {
    $_SESSION['token'] = bin2hex(random_bytes(32));
}
$token = $_SESSION['token'];


and for PHP >= 5.3

Code:
// Generating CSRF Token in 5.3+
session_start();
if (empty($_SESSION['token'])) {
    if (function_exists('mcrypt_create_iv')) {
        $_SESSION['token'] = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
    } else {
        $_SESSION['token'] = bin2hex(openssl_random_pseudo_bytes(32));
    }
}
$token = $_SESSION['token'];


and for Verifying the CSRF Token

Code:
if (!empty($_POST['token'])) {
    if (hash_equals($_SESSION['token'], $_POST['token'])) {
         // Proceed to process the form data
    } else {
         // Log this as a warning and keep an eye on these attempts
    }
}


and in TPL file I used this input
Code:
<input name="token" type="hidden" value="{$smarty.session.token}">


for more information please check this link

AnrDaemon wrote:
"csrf_token" is just a string.
CSRF itself, on the other hand, is a technology, not a finger snap.
You have to implement it from top to bottom, in your application, and certainly not in templating engine. And only then, when you have it implemented, you will pass a token to template to render on a webpage.


your forum doesn't have any "Thanks" button so I had to reply it Smile

Thanks in advance sir.
Back to top
View user's profile Send private message
AnrDaemon
Administrator


Joined: 03 Dec 2012
Posts: 1583

PostPosted: Sun May 26, 2019 11:34 am    Post subject: Reply with quote

I would pass the token explicitly, if I were you. And certainly not access the session storage directly from a template.
Back to top
View user's profile Send private message
Game Over!
Smarty Rookie


Joined: 01 May 2019
Posts: 8

PostPosted: Sun May 26, 2019 12:20 pm    Post subject: Reply with quote

AnrDaemon wrote:
I would pass the token explicitly, if I were you. And certainly not access the session storage directly from a template.


May I ask you why?
why not access session directly from template? please describe with detail.

Thanks in advance
Back to top
View user's profile Send private message
AnrDaemon
Administrator


Joined: 03 Dec 2012
Posts: 1583

PostPosted: Mon May 27, 2019 8:03 am    Post subject: Reply with quote

1. Sessions are not related to templating. Passing entire session where you only need a single string -
2. Sessions are not necessarily implemented as $_SESSION superglobal.
3. CSRF tokens are not necessarily related to sessions.

Overall, https://speakerdeck.com/jakzal/decoupling-from-the-framework
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Smarty Forum Index -> General All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP