I am working on enhancing the security of an existing web application which currently has not implemented the use of anti-CSRF tokens, so it is up to me to generate one, add the hidden fields and checks, etc. A limitation right now is that neither the openssl or mcrypt modules are currently configured on the server.
Here is my token-generating code:
$csrfToken = base64_encode(uniqid(mt_rand(100, 999) . microtime(), true));
I have a feeling that this would provide an adequate token, but not a particularly strong one, but that's my own personal instinct. Does anybody have any suggestions as to how I can strengthen the security of this token without the use of mcrypt or openssl functions? Thank you!
EDIT: This is currently how I am verifying the token after the form is submitted, where $token is the token passed along with the request:
function validate_token($token) {
return isset($_SESSION['csrfToken']) && $token === $_SESSION['csrfToken'];
}
Aucun commentaire:
Enregistrer un commentaire