Is this enough for CSRF protection?

Is this enough for CSRF protection:

• A random string is generated, $_SESSION['hash'] stores it
• A hidden value (in $_POST['thing']) in a form contains the random string
• When the form is submitted, it checks if $_SESSION['hash'] equals $_POST['thing'], and continues if they match

One of my site's users keeps telling me that my site is vulnerable, but I can't tell if he's just trolling me. Is there anything else that I c开发者_Go百科an do?

What I think you are missing is limiting token to small window of time.

You should have a look at Chris's CRSF-article. A quick summary:

• a CSRF attack must include a valid token (anti-CSRF token) in order to perfectly mimic the form submission.
• The validity of the token can also be limited to a small window of time, such as five minutes
• If you use a token in all of your forms as I have suggested, you can eliminate CSRF from your list of concerns. While no safeguard can be considered absolute (an attacker can theoretically guess a valid token), this approach mitigates the majority of the risk. Until next month, be safe.

If it's unique to every user, then it should be enough. Even if it's the same for duration of user session, it's still OK, but I would suggest to re-generate it periodically. Also you may want to use different tokens per each form. For example, if you have login form and comments form, it's better to use different tokens for them, but it's not 100% necessary.

Why do you assume that just because someone says your site is vulnerable, it has to do with CSRF attach? They are so many other possible vulnerabilities.

Maybe your web server outdated and vulnerable, maybe the php version is not the most recent one. Maybe the user was able to login to your server via ssh or telnet. Maybe the user was able to guess admin password.

Maybe to let people login by cookie and store login credentials in cookies.

There are just too many things other than CSRF that could be exploited. There is also a possibility that the user is wrong or does not know that he is talking about or maybe he just wants to make your nervous.

Each time they load the page, it changes IF it's not already set.

Well there is your problem. Once a token is retrieved all the actions can be easily performed further one. I usually implement the token to be valid for one single request and afterwards regenerate it.

from : http://en.wikipedia.org/wiki/Cross-site_request_forgery

• you can additional decrease time of life of cookie
• check the HTTP Referer header
• and captcha - but not every user like it

however your acion with secret key is still better than nothing...