PHP CSRF Guard

=Code Snippet=

If you need to protect against CSRF attacks in your code, this little helper can reduce the risk:

session_start; //if you are copying this code, this line makes it work.

function store_in_session($key,$value) { 	if (isset($_SESSION)) { 		$_SESSION[$key]=$value; } } function unset_session($key) { 	$_SESSION[$key])=''; 	unset($_SESSION[$key]); } function get_from_session($key) { 	if (isset($_SESSION)) 	{ 		return $_SESSION[$key]; 	} 	else { return false; } //no session data, no CSRF risk }

function csrfguard_generate_token($unique_form_name) { 	if (function_exists("hash_algos") and in_array("sha512",hash_algos)) { 		$token=hash("sha512",mt_rand(0,mt_getrandmax)); } 	else { 		$token=''; for ($i=0;$i<128;++$i) { 			$r=mt_rand(0,35); if ($r<26) { 				$c=chr(ord('a')+$r); } 			else { 				$c=chr(ord('0')+$r-26); } 			$token.=$c; } 	} 	store_in_session($unique_form_name,$token); return $token; } function csrfguard_validate_token($unique_form_name,$token_value) { 	$token=get_from_session($unique_form_name); if ($token===false) { 		return true; } 	elseif ($token==$token_value) { 		$result=true; } 	else { 		$result=false; } 	unset_session($unique_form_name); return $result; }

function csrfguard_replace_forms($form_data_html) { 	$count=preg_match_all("/(.*?)/is",$form_data_html,$matches,PREG_SET_ORDER); if (is_array($matches)) { 		foreach ($matches as $m) { 			if (strpos($m[1],"nocsrf")!==false) { continue; } $name="CSRFGuard_".mt_rand(0,mt_getrandmax); $token=csrfguard_generate_token($name); $form_data_html=str_replace($m[0], 				"  {$m[2]} ",$form_data_html); } 	} 	return $form_data_html; }

function csrfguard_inject { 	$data=ob_get_clean; $data=csrfguard_replace_forms($data); echo $data; } function csrfguard_start { 	if (count($_POST)) { 		if (!isset($_POST['CSRFName'])) { 			trigger_error("No CSRFName found, probable invalid request.",E_USER_ERROR); } 		$name =$_POST['CSRFName']; $token=$_POST['CSRFToken']; if (!csrfguard_validate_token($name, $token)) { 			trigger_error("Invalid CSRF token.",E_USER_ERROR); } 	} 	ob_start; register_shutdown_function(csrfguard_inject); } csrfguard_start;

=Description and Usage= The first three functions, are an abstraction over how session variables are stored. Replace them if you don't use native PHP sessions.

The generate function, creates a random secure one-time CSRF token. If SHA512 is available, it is used, otherwise a 512 bit random string in the same format is generated. This function also stores the generated token under a unique name in session variable.

The validate function, checks under the unique name for the token. There are three states: Either case, this function removes the token from sessions, ensuring one-timeness. The replace function, receives a portion of html data, finds all occurrences and adds two hidden fields to them: CSRFName and CSRFToken. If any of these forms has an attribute or value nocsrf', the addition won't be performed (note that using default inject and detect breaks with this).
 * Sessions not active: validate succeeds (no CSRF risk)
 * Token found but not the same, or token not found: validation fails
 * Token found and the same: validation succeeds

The other two functions, inject and start are a demonstration of how to use the other functions. Using output buffering on your entire output is not recommended (some libraries might dump output buffering). This default behavior, enforces CSRF tokens on all forms using POST method. It is assumed that no sensitive operations with GET method are performed in the application, as required by RFC 2616.

To test this code, append the following HTML to it:

 ' />  

=Author and License= This piece of code is by [mailto:abbas.naderi@owasp.org Abbas Naderi Afooshteh] from OWASP under Creative Commons 3.0 License.