Preventing CSRF in PHP

Cross site request forgery (CSRF) is where a malicious website will attempt to issue actions on another website without the user’s knowledge of it occuring.

Hypothetical Situation: You had just done some online banking and had ticked the ‘Remember me’ option when you logged in. The banking website easily allows you to transfer money to other people. While browsing the malicious site you see a link that seems to take you somewhere harmless but it actually sends you to www.my.bank/transfer?to=3740384342?amount=99999 . Because you ticked ‘remember me’ you are automatically logged in and the bank goes ahead and transfers the funds.

There are some obvious fundamental issues the bank could address such as checking with the user whether they want to send the funds and masking their URLs but the problem of the form still remains. Theres nothing from stopping anyone sending seemingly valid data to the URL the form submits to. This problem is known as Cross Site Request Forgery (CSRF) and it is a potential problem in every single dynamic website. While stealing money is an extreme example, CSRF could also be used to steal cookies from a website or post spammy comments on a blog without the user…