0

I am making my own social media network for a project at college. One hurdle I have come across is secure forms.

I am making an option for one user to send a friend request to another user, which I can code. But that tricky part is making it secure. If I were to just use xxxxxx/profile.php?id=2&action=sendfr then people could be sent that link and made to send them a friend request.

If I sent action=sendfr as POST data then a spoofer could make a form on a website to do the same.

One method I am considering is sending some sort of AuthKey in POST data that is sent to the client for these purposes.

Could anyone please recommend the best option for making user actions secure?

Improve this question
6
  • 1
    CSRF will possibly help here, or secure cookie perhaps Commented Oct 28, 2017 at 1:10
  • The only cookie I use is PHPSESSID, My consideration is when the page loads having a token sent to the user via javascript variable that can be used in POST forms to authenticate actions. Commented Oct 28, 2017 at 1:13
  • You using a framework? Commented Oct 28, 2017 at 1:15
  • Look into CSRF tokens as suggested by Andy. Commented Oct 28, 2017 at 1:15
  • Thank you, yes that I what I am research now Commented Oct 28, 2017 at 1:16

1 Answer 1

Reset to default
2

What you are trying to avoid is a Cross-site request forgery. There several ways to avoid them but the most popular is to generate a random token in the server and send it with every page that can make changes in persistent data. Then when the user sends a request back it must include the token so the server can verify that the tokens match. In this case the tokens must be random and different in every request. You would find more details and techniques in the OWASP page linked above.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I have just make it so when a session starts (user logs in); for that php session the user is given a token that is stored in $_SESSION. This token is echoed into forms which relay it back to the server via POST.
As long as your CSRF token is not the same as the session token you should be OK

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.