PHP Security: CSRF (Cross-site Request Forgery)

Video is ready, Click Here to View ×


  • Your tutorial is awesome

  • Can you make a tutorial about CSRF Tokens that works for multiple tabs and windows browsing ? You're previous tutorials about creating CSRF Tokens are not multiple tabs and windows friendly.

  • so exactly how well does this protect against csrf?

  • In delete.php

    require 'app/bootstrap.php' should come after


    because if an attacker tricks the logged in user to click a link which is navigating to delete.php, in that time its a GET request but in bootstrap.php validations is only for POST REQUEST , if any GET request hits the page it will create a new CSRF token that results in logged user to get invalid CSRF token error message if he/she clicks on delete button.

  • Unless im missing something, this will only protect against CSRF performed in a script under the same domain? So this is not really useful in real world applications?

  • I don't think this particular scenario will work in a real-life situation because in order for it to work, the attacker's page needs to be on the same domain as the target page (which is highly unlikely). Otherwise, the AJAX request from the attacker's page will fail because of the same-origin policy enforced by the browser.

  • thanks a lot, that's very useful for me …

  • Thank you very much, really nice way to explain it.

  • Couldn't the author of the CSRF php page just use a file_get_contents to make the request for the index to grab the token, then echo it out as a submitted variable when making the ajax request for the delete.php? I understand how CSRF makes things a little more secure, but in my opinion, it just makes it slightly more difficult, but only if the author of the csrf.php file doesn't really think things through a little more.

  • I like how you explained this but i do have one question. This works well when the attacker is remote, but when their local they are able to see the traffic(what ever means they wish to do it, and assuming the side doesn't use SSL)and in turn able to see the token as plain text and can mount an attack based on that. Is there a better way without including it as plain text on the page? Love the videos, i don't use PHP much any more but i still like to keep up with it as well as your a very good teacher.

Leave a Reply

Your email address will not be published. Required fields are marked *