News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Joseph Scott:
Stateless CSRF Tokens
August 02, 2013 @ 11:16:44

Joseph Scott has a recent post to his site looking at the idea of stateless CSRF tokens and how to create them while avoiding the typical "store them in a session" mentality.

This is all fine and good until you want to avoid using PHP sessions. Perhaps you have several web servers and don't want to deal with shared session storage. Or have servers in multiple data centers and don't want to try and sync state across them. What ever the reason, popping a token into $_SESSION isn't an option in this case. In short you want some sort of stateless CSRF token.

He looks at two methods to help get around this issue. The first method is based on known values that won't change very frequently (say, maybe 24 hours). His second method, however, has a bit more strength to it. His idea uses a combination of a key, the current time, a timeout and a known string of data - all base64 encoded.

0 comments voice your opinion now!
csrf token stateless tutorial session base64 timeout microtime

Link: https://josephscott.org/archives/2013/07/stateless-csrf-tokens

blog comments powered by Disqus

Similar Posts

Odafe Ojenikoh's Blog: Interactive PHP CLI Applications using Zend Form

PHP Security Blog: PHP 5.2.0 and allow_url_include

Vid Luther's Blog: Building PHP 5.3 packages on Ubuntu 9.04 (Jaunty) for Apache 2

Daniel Krook's Blog: Move from MySQL to DB2 via the Cloud

Asvin Balloo's Blog: Geolocate your visitors with PHP (part 1)


Community Events

Don't see your event here?
Let us know!


framework community conference series introduction interview wordpress unittest middleware laravel voicesoftheelephpant podcast opinion release extension development language api laravel5 library

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework