Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- session_start();
- $token = calculate_token();
- $session_token = isset($_SESSION['token']) ? $_SESSION['token'] : null;
- if (!$session_token) {
- $_SESSION['token'] = $token;
- } elseif ($session_token != $token) {
- session_regenerate_id();
- $_SESSION = array();
- $_SESSION['token'] = $token;
- }
- function calculate_token()
- {
- $ip = !empty($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '127.0.0.1';
- $ua = !empty($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : 'no ua';
- $charset = !empty($_SERVER['HTTP_ACCEPT_CHARSET']) ? $_SERVER['HTTP_ACCEPT_CHARSET'] : 'no charset';
- $ip = substr($ip, 0, strrpos($ip, '.') - 1);
- return md5($ua . $ip . $charset);
- }
- function get_csrf_token()
- {
- if (!isset($_SESSION['csrf_token'])) {
- $_SESSION['csrf_token'] = md5(uniqid('', true));
- }
- return $_SESSION['csrf_token'];
- }
- if (isset($_POST['token'])) {
- if ($_POST['token'] != get_csrf_token()) {
- echo 'FU';
- exit;
- }
- if (isset($_POST['url'])) {
- header('Location: ' . $_POST['url']);
- exit;
- }
- echo 'There was no url';
- }
- ?>
- <form method="POST">
- <input type="input" name="foo" />
- <input type="hidden" name="url" value="http://google.com" />
- <input type="hidden" name="token" value="<?php echo get_csrf_token(); ?>" />
- <input type="submit" />
- </form>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement