Is this enough to protect CSRF?

Question

This is enough to protect CSRF:

A random string is produced, $_SESSION['hash']stores it
The hidden value (in $_POST['thing']) in the form contains a random string
When the form is submitted, it checks to see if it is equal $_SESSION['hash'] $_POST['thing'], and continues if they match

One of my site users tells me that my site is vulnerable, but I can’t say if it just trolled me. Is there anything else I can do?

+3

Kevin evans Jan 30 '11 at 1:48

4 answers

, , , .

Chris CRSF. :

+3

Alfred 30 . '11 3:09

, , , .

, . , . , , .

+1

mhitza 30 . '11 3:13

, ...

0

bensiu 30 . '11 1:57

Dmitri · Accepted Answer · 2011-01-30T02:40:39+0000

, . , , . . , , , 100% .

, , - , , CSRF? .

, - , , php . , ssh telnet. , .

, cookie cookie.

, CSRF, . , , , , , .