-1

In order to prevent CSRF attack, should I to send the md5 hash of my session_id() in an hidden field via form? he would be enough?

Thanks

odan
  • 4,757
  • 5
  • 20
  • 49
Lilia
  • 139
  • 4
  • session data are getting stored sever-side and client-side via a cookie. there is no need for any of that. – Niels Dec 02 '17 at 08:27
  • Please read this: https://stackoverflow.com/questions/21473515/why-csrf-token-should-be-in-meta-tag-and-in-cookie – odan Dec 02 '17 at 08:31
  • `code code` It's enough to hash session_id() in this way or useless? Please consider my app is basically simple and I not to need a very strong protection... just to prevent attacks from third malicious site – Lilia Dec 02 '17 at 09:33
  • The md5 hash is not secure anymore. Use at least SHA512 and a secret key: ` – odan Dec 02 '17 at 09:57
  • sorry but wanting to stay on md5 or sha1 (because as I said I do not need to use stronger ways) what would be the difference between `echo hash ('md5', session_id (), 'top-secret');` and `echo md5 (session_id ()); ` since both generate a string of 32 characters? But above all, is this useful approach to generating a CSRF token? – Lilia Dec 02 '17 at 11:30

1 Answers1

0

I can't comment right now. You should provide code examples or something. Your question is really generic and if you really love be safe from Attacks you should almost think about having some "model" protection something like:
"...
1. Authenticate (when request)
2. Header check
3. I/O write timestamp in disk (or whatever)
4. A first token usually sent by GET (querystring) and it is the SHA1 or SHA512 hash of the user’s sessionID
5. A second token sent by POST (form) and it is the aes256 crypt of the hash with SHA1 or SHA512 (depends on how much faster the request have to be) of the user’s sessionID, plus additional informations like datetime and others (crypted only with aes256 and packet with all the request)
6. This two tokens must match with the original sessionID of the user, and additional informations are decrypted
7. The timestamp token need to match the timestamp saved on disk (or whatever)
..."
every user-case is different, i wrote it from my blog here: https://blog.myetv.tv/2017/09/18/writing-secure-code-how-myetv-do-crypt-auth-transfer-and-store-informations/

hope it helps ;)

Oscar Cosimo
  • 51
  • 6