PHP Classes

Why Would You Want to Do a PHP Upgrade to Version 7.3 or 8.3 to Benefit from Better Security using the Improved SameSite Cookie Support

Recommend this page to a friend!
  Blog PHP Classes blog   RSS 1.0 feed RSS 2.0 feed   Blog Why Would You Want to...   Post a comment Post a comment   See comments See comments (5)   Trackbacks (0)  

Author:

Updated on: 2023-01-17

Posted on: 2023-01-17

Viewers: 216 (February 2023 until August 2023)

Last month viewers: 30 (August 2023)

Categories: PHP Tutorials, PHP Security, News

Newer PHP versions often provide improved security features. That is the case of the SameSite cookie support to help your site to be better protected against Cross-Site Request Forgery (CSRF) attacks.

Read this short article to learn more about CSRF attacks, SameSite cookies, and code examples of how to benefit from improvements done in PHP 7.3 and PHP 8.3 to quickly implement this option to protect better your sites from these attacks.

There are more modern ways to generate random strings. Read another article about the \Random\Randomizer class to learn more about modern ways to generate random values.




Loaded Article

In this article you will learn about:

1. What Are Cross-Site Request Forgery (CSRF) Attacks

2. Why You Need to Implement Security Measures in Your PHP Code to Protect Your Sites Against CSRF Attacks

3. How You Can Use SameSite Cookies in PHP to Protect Against CSRF Attacks with Code Examples

4. How You Can Benefit Your Sites Security from PHP 7.3 and PHP 8.3 Improvements in SameSite Cookie Settings with Code Examples


1. What Are Cross-Site Request Forgery (CSRF) Attacks

Cross-Site Request Forgery Attacks are a form of abuse that sites may be victims of by allowing misled logged users to perform actions they do not want, but they are fooled into performing those actions and causing some loss.

An example of this attack is an e-commerce site with a form to let the users change the default shipping address to the attacker's physical address and then another form to place an order for products to be sent to the attacker's shipping address.

2. Why You Need to Implement Security Measures in Your PHP Code to Protect Your Sites Against CSRF Attacks

A CSRF attack may be made using a form with hidden input values. The attacker may put this form in another site he controls and attract the users to use the form submit button so that the state will be forwarded to the e-commerce site.

Suppose the e-commerce site does not implement security measures against CSRF attacks.

In that case, the attacker may be able to change the shipping address of the victim user and place an order for a product being sold by the e-commerce site in a way that the product will be delivered to the address of the person that created this form of attack.

So the victim will pay for a product that he did not buy.

If you own an e-commerce site or implement an e-commerce site for a customer, you should protect the site against this attack.

Otherwise, the actual customer may request the payment handling company, like Paypal or some other payment processing company, to refund the fees. In that case, your company may ship the products, and the price will not be received.

3. How You Can Use SameSite Cookies in PHP to Protect Against CSRF Attacks with Code Examples

In PHP you can implement CSRF attack protection using random token values. These values are created on server side in pages that present forms and stored in PHP session variables. Usually the CSRF tokens also have an expiry time associated to them.

$csrf_token_expiry_time = 300; // 5 minutes

$csrf_token = hash('ripemd160', rand(0, getrandmax()));

$_SESSION['csrf_token'] = $csrf_token;

$_SESSION['csrf_token_expiry'] = time() + $expiry_time; 

There are more modern ways to generate random strings. Read another article about the \Random\Randomizer class to learn more about modern ways to generate random values.

The CSRF token values are usually passed in hidden inputs to the pages that process the forms.

echo '<input type="hidden" name="token" value="'. $csrf_token.'">';

echo '<input type="submit" name="process">';

If the CSRF value passed via the form is not present, or it is forged, or expired, the PHP application will ignore the form submission, as if the user did not submit the form.

if(IsSet($_POST['submit'])
&& IsSet($_POST['token'])
&& GetType($_POST['token']) === 'string'
&& IsSet($_SESSION['csrf_token'])
&& IsSet($_SESSION['csrf_token_expiry'])
&& $_POST['token'] === $_SESSION['csrf_token']
&& time() < $_SESSION['csrf_token_expiry'])
{
  // Process the form submission
}
else
{
  // Ignore the form submission and display the form again
}

4. How You Can Benefit Your Sites Security from PHP 7.3 and PHP 8.3 Improvements in SameSite Cookie Settings with Code Examples

Another form of CSRF attack protection is to use SameSite cookies.

The CSRF token can be stored in a cookie with the SameSite cookie property set to the the value strict.

PHP 7.3 improved the support to SameSite cookies. Since this version you can set cookie properties using associative arrays passed to the setcookie, setrawcookie, session_set_cookie_params functions.

There are good code examples in the PHP 7.3 RFC document for SameSite cookie settings that demonstrate this.

Using setcookie function:

setcookie ('token', $csrf_token, 0, "", "", true, true, 'strict');

Using setcookie function using an options array:

setcookie ('token', $csrf_token, 0, array('SameSite'=>'strict'));

You can also change the options for the current PHP session:

session_set_cookie_params(0, '', '', true, true, 'strict');

Using session_set_cookie_params function using an options array:

session_set_cookie_params(0, array('SameSite' => 'strict');

PHP 8.3 will improve these functions by allowing to set the SameCookie property values using enum values. The PHP 8.3 RFC document for the SameSite cookie settings gives more details.

This way you will be less likely to make a mistake and set the SameCookie property to an invalid value because the cookie setting functions will fail if the value that is passed in not one of the valid enum values for the SameSite property.

setcookie('token', $csrf_token, 0, "", "", true, SameSite::Strict);



You need to be a registered user or login to post a comment

1,611,040 PHP developers registered to the PHP Classes site.
Be One of Us!

Login Immediately with your account on:



Comments:

1. Great overview - Terry Woody (2023-01-18 21:46)
csrf token... - 4 replies
Read the whole comment and replies



  Blog PHP Classes blog   RSS 1.0 feed RSS 2.0 feed   Blog Why Would You Want to...   Post a comment Post a comment   See comments See comments (5)   Trackbacks (0)