Sign in to follow this  
Followers 0
adrianmak

What is the form input processing order in CSRF protection form ?

4 posts in this topic

I'm going to put CSRF form protection on a form.

on what position on validating CSRF during form processing after submission ?

Here are pesudo code

if form submitted
   validating input fields
   if any one of fields is invlaid, stop processing and display field error
   if input fields passed validation
        validate CSRF 
        if passed CSRF validation 
             submit form data or save to database
        if not passed CSRF vlaidation
             generate form error

anything wrong with this order ?

 

 

 

Share this post


Link to post
Share on other sites

I use this format:

If form submitted {
	if CSRF is valid {
		// process form data
	} else {
		session redirect 401
	}
}
// render form

The reason I use this order is,

First, I make sure the form was submitted. If it was not, then render the form.

Second, I validate CSRF. If it passes, then process form data. // No sense processing form data if invalid.

Lastly, if CSRF fails, I redirect to 401.


 

1 person likes this

Share this post


Link to post
Share on other sites
29 minutes ago, rick said:

I use this format:


If form submitted {
	if CSRF is valid {
		// process form data
	} else {
		session redirect 401
	}
}
// render form

The reason I use this order is,

First, I make sure the form was submitted. If it was not, then render the form.

Second, I validate CSRF. If it passes, then process form data. // No sense processing form data if invalid.

Lastly, if CSRF fails, I redirect to 401.


 

How to generate a http 401 error to the client ?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.