csrf() helper: Use different default value for param

Question

csrf() helper: Use different default value for param

lukasbestle opened this issue 7 years ago · 3 comments

Answer 1 · 2017-06-22T07:47:32.000Z

This is not the same thing, but also about csrf(): if you use it multiple times on a page (i.e. when you have two forms on one page) it resets the token every time you call the function.

This could solve that:

function csrf($check = null) {

  // make sure a session is started
  s::start();

  // make sure to generate one token per page
  static $token;

  if(is_null($check)) {
    if(!$token) { 
      $token = str::random(64);
      s::set('csrf', $token);
    }
    return $token;
  }

  return ($check === s::get('csrf')) ? true : false;

}

Still has the null issue ofcourse :)

Answer 2 · 2017-06-23T20:08:27.000Z

I moved this second issue to the separate issue #242. We will fix both in the next release, thanks for reporting.

Answer 3 · 2017-07-01T20:00:13.000Z

This is now fixed on the develop branch. The new solution is actually even better than a different default value as that default param could be faked by an attacker as well.