Do you Know How to Secure PHP Forms with CSRF Tokens?

Do you Know How to Secure PHP Forms with CSRF Tokens?

CSRF Tokens are used to secure forms in PHP, we will generate a random token and this will be stored in the session and this token will be passed through the form. After form submission, CSRF token from the form and the token stored in session will be compared. If both these values match then only form submission will succeed. Otherwise, form submission will be failed.

You can learn it with simple 6 step process.

About CSRF Tokens in PHP Forms

Cross-Site Request Forgery, in short, called as CSRF. CSRF Tokens helps us to stop fake form submissions and CSRF Attacks.

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state-changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrator account, CSRF can compromise the entire web application.

1. Generating CSRF Tokens

In this step we will generate the CSRF Token using these 3 PHP functions, that is rand, uniqid, md5. Using these 3 functions we can a random string that will be stored in the session and also added in form as a hidden input field.

Here is the code for generating a token, I’m assigning it to a variable token. So that we can use this token variable later while adding a token to form.

And the point to note here is we will generate a new CSRF token on every page refresh. That means this CSRF token stored in session will be destroyed and the new CSRF token is generated. You will see more about destroying session in the last step.

2. Creating Session with CSRF Token

After generating the token, we should add it to the session. We can store this token value in session by using session superglobal. But before that, we should start the session with the session_start PHP function.

I’m storing session with the name of csrf_token, here is the code for creating CSRF token session.

3. Adding CSRF Tokens to form

Add the generated CSRF token to form, I’ve assigned generated CSRF token to variable token. Here to add this token in the form I’m going to use the token variable.

Most of the people do it wrong, by adding token stored in the session. That is not the correct method, use the token variable instead of token stored in the session.

And also I’m adding form input field as a hidden input field and with the name of csrf_token. Here is code to add CSRF token to your form. You can just copy and paste this into your form.

4. Checking CSRF Tokens

After form submission, we will check the CSRF token that is submitted through form and CSRF token stored in the session.

First of all, we will check whether post superglobal is set and not empty. If it’s true, that means if the condition is true then only we will proceed with next step to check CSRF tokens.

To check CSRF tokens, I’ll write an if condition to check whether csrf token is submitted through the form or not. If it’s submitted we will continue to the next step that is comparing both CSRF tokens.

I’ll write an if condition that is comparing both submitted values token and session token. And here is the code for comparing the token.

5. Proceding with next Code

After successfully comparing the CSRF token, we can proceed to next step. That is you can start processing your logic.

If you have a lot of code and you want to write it in a new block, create a new if block and check whether the csrferrors array is set or not.

If it’s not set we will proceed with next PHP code.

6. Destroying CSRF Tokens

We should destroy CSRF token that is stored in the session. While reloading the form page this session token will be newly generated and stored in the session. But, you can use the unset PHP function to destroy the session in pages like logout page. Where we will destroy the user session redirect to login page.

On this logout page you can add this code and in case if you are using session_destroy PHP function you don’t need to add any code.

Compelete code of CSRF Tokens with PHP Forms

If you have any problem arranging above pieces of code, you can use this complete code.


CSRF tokens add an extra layer of security to your forms, it is also recommended by Security professionals.

Add CSRF tokens to your forms and make them secure. If you want to learn more about CSRF tokens join my course.

Note: Generate new token after form submission PHP code, if you generate new token before form submission that is post if block. You will get an error that is CSRF token not matching. It will never match if you are generating it before form submission. Move this token generation and session creation to after form submission code.

If you have any doubts let me know through the comment form below.

securing sessions with tokens php php use secret token php token php csrf token php csrf check php crsf_token php how to use tokens to secure php website how to generate token in php csrf token php what does $_post[account] $_post[csrf_token] mean
Vivek Vengala

Vivek Vengala is a Online Entrepreneur, Web Developer from Hyderabad India.

Click Here to Leave a Comment Below 0 comments

Leave a Reply: