PKP Bugzilla – Bug 7001
Implement CSRF checking
Last modified: 2012-09-21 15:01:09 PDT
We are moving to Git Issues for bug tracking in future releases. During transition, content will be in both tools. If you'd like to file a new bug, please create an issue.
Implement CSRF (cross-site request forgery) checking. http://en.wikipedia.org/wiki/Cross-site_request_forgery
My suggestion would be to examine the way Wordpress has dealt with this. WP uses Nonce keys on each form, painless with a wp_nonce_field() function call. The keys are stored in a database table that also contains the referring document of the form, the destination URL, and other information about the user session. They also expire after a reasonable amount of time. On form submission, part of the validation routine extracts the nonce key from the hidden form field and pulls the information out of the database, verifies that everything is correct, expires the nonce key, and then processes the form.
The nice thing about the WP approach is that the nonce functions abstract all of the key creation, record creation, and so on. You just need to include it on your form and then call wp_verify_nonce() as part of the form validation routine.