PHPprogramming~30 mins

CSRF attacks and token protection in PHP - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

CSRF Attacks and Token Protection

📖 Scenario: You are building a simple web form where users can submit their email to subscribe to a newsletter. To keep the form safe from CSRF (Cross-Site Request Forgery) attacks, you will add a CSRF token to the form and check it when the form is submitted.

🎯 Goal: Create a PHP script that generates a CSRF token, includes it in a form as a hidden input, and then validates the token when the form is submitted to protect against CSRF attacks.

📋 What You'll Learn

Create a PHP session to store the CSRF token

Generate a CSRF token and store it in the session

Add the CSRF token as a hidden input in the HTML form

Check the CSRF token on form submission to validate it

Display a success message if the token is valid, or an error message if invalid

💡 Why This Matters

🌍 Real World

CSRF tokens are used in web forms to prevent attackers from tricking users into submitting unwanted requests. This protects user data and actions on websites.

💼 Career

Understanding CSRF protection is essential for web developers and security engineers to build safe web applications and prevent common security vulnerabilities.

Progress0 / 4 steps

Start a PHP session and create a CSRF token

Write PHP code to start a session with session_start() and create a CSRF token string called csrf_token using bin2hex(random_bytes(32)). Store this token in the session variable $_SESSION['csrf_token'].

PHP

<?php
session_start();
// Your code here

Need a hint?

Use session_start() at the top. Then create $csrf_token with bin2hex(random_bytes(32)) and save it in $_SESSION['csrf_token'].

Add the CSRF token as a hidden input in the HTML form

Write HTML code for a form with method POST and action set to the same page. Inside the form, add an input field for email and a hidden input field named csrf_token with the value set to the PHP variable $csrf_token.

PHP



  Email:
  
  
  Subscribe

Need a hint?

Use a hidden input with name="csrf_token" and set its value to .

Check the CSRF token on form submission

Add PHP code at the top to check if the form is submitted by verifying $_SERVER['REQUEST_METHOD'] === 'POST'. Then check if $_POST['csrf_token'] exists and matches $_SESSION['csrf_token']. Store the result in a variable called valid_token which is true if tokens match, otherwise false.

PHP



  Email:
  
  ">
  Subscribe

Need a hint?

Check if the request method is POST. Then verify if $_POST['csrf_token'] exists and equals $_SESSION['csrf_token']. Set $valid_token accordingly.

Display success or error message based on CSRF token validation

Add PHP code after the form to print "Subscription successful!" if $valid_token is true. Otherwise, if the form was submitted but the token is invalid, print "Error: Invalid CSRF token.".

PHP



  Email:
  
  ">
  Subscribe

Need a hint?

After the form, check if the form was submitted. If $valid_token is true, print success message. Otherwise, print error message.