Securing forms with form keys
Secure Your Forms With Form Keys
A few months ago I wrote an article for Nettuts+ about securing forms with form keys (or nonces). It is a great way to add some extra security to your forms. The original tutorial can be found here:
http://net.tutsplus.com/tutorials/php/secure-your-forms-with-form-keys/
(I just recently found out that the article also has been translated to french! http://www.angechierchia.com/php/securiser-ses-formulaires-avec-une-cle-unique/)
If you are using Zend Framework you can easily add this kind of protection to your forms. You only have to add the following line:
$form->addElement('hash', 'name_of_hash_element', array('salt' =>; 'unique'));
If you are familiar with creating forms with Zend Framework this shouldn’t be a problem. We just add a new ‘hash’item to our form variable. So what does this do? First of all a hidden HTML element is added to your form when rendered. Second, a session is started to remember the value of the form key. Now when you validate your form also the form key will be checked. The form key is valid if it is the same as the value stored in the session.
Using this kind of protection is easy, fast and it helps preventing CSRF.
Tags: csrf, form, form keys, nettuts, nonces, PHP, Security, zend framework
Hi, thanks for the backlink to my french translation! I will update my article to point to you blog.
See you
Is that one line really the only thing I have to add on my ZF Form? No validation at the post-action?
Of course you should also validate the other elements of you form but if you add this to your form model and use the validate() function the hash will be validated too.
Okay, that’s what I wanted to know. Thanks!