I have been trying to do a csrf token verification and have been following a tutorial by passive income but he does this on the same page. I am just wondering how to do this if you are sending the form to another page because won’t you be generating two separate csrf token, one for page one and the other for page two…
if (empty($_SESSION[‘key’])) {
$_SESSION[‘key’] = bin2hex(random_bytes(32));
}
//create CSRF Token
$csrf = hash_hmac('sha256', 'this is some string: signup.php', $_SESSION['key']);
Hmm, that looks like quite an elegant solution, if implemented properly.
Shouldn’t the if (empty($_SESSION[‘key’])) help make sure that only the first page load generates a session key which is used for all forms on all pages.
The CSRF token is then based on this session key, which could simply be passed with the form input. After the form was submitted, you could then calculate the CSRF token again with the same session key and input string, which should generate the same CSRF token. If the calculated tokens matches the submitted token, then it’s safe.
And since the CSRF token itself is not stored in the session, you can probably have multiple forms open at the same time without any problems.
maybe I am not confused here because I have that in my main form page but would need that csrf to be sent to my processing page, which is different from that page otherwise it will always say wrong token…