Vpp Man Vpp Man - 2 months ago 7
PHP Question

reason for using a token in HTML form and checking in PHP code

In a code i have seen this creation of token for a login page:

$token = $_SESSION['token'] = md5(uniqid(mt_rand(),true));

Then this token is echoed as a hidden input in the login form and on submitted, php code to validate login also checks this token like:

public function isTokenValid()
return (!isset($_SESSION['token']) || $this->_token != $_SESSION['token'])? 0 : 1;

What is the use of this token ?

Edit: This page is describes the use of it: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet


Approach like this is commonly used to prevent CSRF vulnerabilities