How can CSRF (Cross Site Request Forgery) attacks be prevented in PHP forms, and what role do session management and unique tokens play in this defense?

CSRF attacks can be prevented in PHP forms by using session management and generating unique tokens for each form submission. Session management helps to verify the user's identity, while unique tokens ensure that the form submission is legitimate and not initiated by a malicious third party.

&lt;?php
session_start();

// Generate a unique token
$token = bin2hex(random_bytes(32));
$_SESSION[&#039;csrf_token&#039;] = $token;

// Include this token in the form
echo &#039;&lt;form method=&quot;post&quot;&gt;&#039;;
echo &#039;&lt;input type=&quot;hidden&quot; name=&quot;csrf_token&quot; value=&quot;&#039; . $token . &#039;&quot;&gt;&#039;;
// Add other form fields here
echo &#039;&lt;/form&gt;&#039;;

// Validate the token on form submission
if(isset($_POST[&#039;csrf_token&#039;]) &amp;&amp; $_POST[&#039;csrf_token&#039;] === $_SESSION[&#039;csrf_token&#039;]) {
    // Process the form data
} else {
    // Handle invalid token
    echo &#039;CSRF token validation failed&#039;;
}
?&gt;

Keywords

CSRF Cross Site Request Forgery PHP forms session management unique tokens

How can CSRF (Cross Site Request Forgery) attacks be prevented in PHP forms, and what role do session management and unique tokens play in this defense?

Keywords

Related Questions