BestHub
Sign in
Information Security 6 min read

Three Methods to Prevent CSRF Attacks in PHP Applications

This article explains three practical techniques—CSRF token validation, read‑only cookie verification, and duplicate‑submission prevention—illustrated with complete PHP code examples, to help developers protect their web applications from cross‑site request forgery attacks.

php中文网 Courses
php中文网 Courses
php中文网 Courses
Three Methods to Prevent CSRF Attacks in PHP Applications

Cross‑Site Request Forgery (CSRF) is a web security attack where an attacker tricks a logged‑in user into sending unwanted requests. The article presents three PHP‑based defenses that developers can implement to mitigate this risk.

Method 1: Token Validation – A unique CSRF token is generated per session, stored in $_SESSION['csrf_token'] , and added as a hidden field in forms. Upon submission, the server compares the posted token with the session token to verify legitimacy.

<?php
session_start();
if (!isset($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
?>
<form method="POST" action="">
    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <!-- other form fields go here -->
</form>
<?php
session_start();
if (isset($_POST['submit'])) {
    if ($_POST['csrf_token'] === $_SESSION['csrf_token']) {
        // process form data
    } else {
        // CSRF token validation failed
    }
}
?>

Method 2: HTTP‑Only Cookie Verification – Instead of storing the token in the session, a random token is placed in an HTTP‑only cookie that JavaScript cannot read. The token is also sent as a hidden form field and compared with the cookie value on the server.

<?php
$cookie_name = 'csrfToken';
if (!isset($_COOKIE[$cookie_name])) {
    $token = bin2hex(random_bytes(32));
    setcookie($cookie_name, $token, null, '/', null, true, true);
} else {
    $token = $_COOKIE[$cookie_name];
}
?>
<form method="POST" action="">
    <input type="hidden" name="csrf_token" value="<?= $token ?>">
    <!-- other form fields go here -->
</form>
<?php
if (isset($_POST['submit'])) {
    if ($_POST['csrf_token'] === $_COOKIE[$cookie_name]) {
        // process form data
    } else {
        // CSRF token validation failed
    }
}
?>

Method 3: Duplicate‑Submission Prevention – This approach creates a unique form token and a form identifier, stores them in the session, and includes them as hidden fields. The server validates both values and, after successful processing, removes them from the session to prevent replay attacks.

<?php
$form_token = md5(uniqid(mt_rand(), true));
$_SESSION['form_token'] = $form_token;
$form_id = md5($_SERVER['REQUEST_URI'] . time());
$_SESSION['form_id'] = $form_id;
?>
<form method="POST" action="">
    <input type="hidden" name="form_id" value="<?= $form_id ?>">
    <input type="hidden" name="form_token" value="<?= $form_token ?>">
    <!-- other form fields go here -->
</form>
<?php
if (isset($_POST['submit'])) {
    if ($_POST['form_id'] === $_SESSION['form_id'] && $_POST['form_token'] === $_SESSION['form_token']) {
        // process form data
        unset($_SESSION['form_id'], $_SESSION['form_token']);
    } else {
        // CSRF token validation failed
    }
}
?>

Each method provides a reliable way to ensure that incoming POST requests originate from legitimate users, thereby reducing the likelihood of successful CSRF attacks. Developers can choose the approach that best fits their application's architecture and security requirements.

CSRFtokenWeb Securityduplicate submissionhttp-only cookie
php中文网 Courses
Written by

php中文网 Courses

php中文网's platform for the latest courses and technical articles, helping PHP learners advance quickly.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment