What should I do in case of a cross site request forgery attack?
I’m trying to prevent CSRF attacks. I’ve stored a random value in the session and in the form. When processing the form, I compare the two values. If the session and开发者_StackOverflow the form value aren’t equal, should I kill the script or is there a better way to handle this?
If this is very unlikely to happen from a real user, then I would prevent the script from saving/returning any data, but I would return a 'success' message as if it had worked. If you return a failure, it helps hackers to work out how your validation is coded.
On the other hand, if this happens to real users, I would return a friendly error, and possibly ask them to log in again.
Yes. Just let it fail. There is no point in recovering such errors.
What you should do however is also write a log entry to audit potential exploit attempts:
syslog(LOG_ERR, "CSRF token mismatch ...");
die("Request failed. (Disabled cookies?) Contact administrator: ...");
Include a humd-readable message in case it was really a browser error or something. But don't expose that it was the CSRF token that failed.
精彩评论