php form: prevent outside posters with tokens

I'm making a web game for fun with lots of forms that post data to php pages. What are some methods to preventing people from using their own web forms to post to my site?

My knowledge PHP is not too advanced. So, while I've been researching this topic, unfortunately the answers I've found have been confusing me a little. I found this SO question from earlier that addressed the issue: Secure ajax form POST. I'm 开发者_JAVA百科a little confused by the first answer and was wondering if somebody could provide an example in PHP. Some specific points I'm struggling with are:

• how would you save a token somewhere on your server?
• how do you decide what that token should be?
• if somebody is on the website, can't they just view the source and see the token in the hidden input element and use that in their own third party form?

Thanks for your help!

There are a number of CSRF prevention libraries you can use. One is CSRFGuard at OWASP

You may also wish to read the main CSRF page to understand the issues and the CSRF Prevention Cheat Sheet to understand the principles behind the implementation design.

If you've read up and understood the issues, it should be a simple job to add your own protection, if you wish to construct your own implementation.

Bear in mind that if you have any XSS vulnerabilities, your CSRF protection can be simply bypassed. So be sure to understand XSS Prevention also.

1. The token is stored in the user's session along with an expiration date/time
2. The token can be generated automatically, per-user. It needs to be random enough to avoid guessing.
3. Yes, but you can combat this by using per-user token generation and expiration. If a token is submitted without an existing user session, or if the token has expired in the current session, redirect the user to an appropriate notification of failure.