Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
@Frederick Does that work by checking the hash of the body?
-
@Frederick CSRF codes can protect against some bots but very much against session hijacking through XSS vulnerabilities.
And yes also the thing you described! -
@AlexDeLarge Good to know. Implementing that then.
-
@iexx Why would that be sketchy? And yeah I checked, the right session is being submitted (there's only one anyways)
-
@linuxxx nah not the session cookie, but if ur server side is set up to generate a new token per request, it could replace the server's copy of the csrf token (this happened to me before
-
@iexx True and it is setup to do that but ONLY with the index.php and I'm calling other php files
-
@linuxxx hmm idk then, that's all I could think of. good luck this kinda thing is tough to get right
-
@PrivateGER just to add to the above, laravel has it too, in form of just putting a "@csrf" into your forms (in your template files) and also enforces them, by simply declining certain requests if theres no csrf
I'm losing my fucking mind right fucking here.
Setting an anti-csrf token in the index.php file ONCE. Yes, I triple trillion checked, only fucking once.
Print it to the page as test, fair enough, looks good.
Send an ajax request to the server:
AN ENTIRELY FUCKING DIFFERENT TOKEN 😡
Fucking hell.
rant
fuck off and die