在 CSRF 保护中使用 PHP 会话是否安全？

Question

I have a script file called get_user_unfo.php that just returns a JSON file of the current logged-in user's data.

When requested, the file first checks the CSRF token and then does a SQL search of the users table based on a session variable called user_id , which is set when the user logs in which is how it returns the JSON object.

What would happen if someone from evil.com tried to request the PHP file from my wesbite using AJAX?

A) Would nothing get returned because they're calling my file from a different website? If this is true and no results are returned then why is it advised to use long CSRF tokens? Surely just 1 or 0 would suffice?

or...

B) Would the request still be valid and would my website return other users information?

Answer 1

I'm answering my own question here as I discovered the answer.

It's clear to me now that I did not understand what CSRF propperly was and how it was supposed to be used.

To answer my question, neither a or b are correct.

The way CSRF works is best described here :

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated

So if a user went onto evil.com that had a page that did ajax requests to mydomain.com/change-email then without any protection in place this would go through because the unsuspecting user would be logged in on mydomain.com and so the ajax request would be playing with that users information.

The reason you need a token in place is so that the form and the request can communicate. So if evil.com tried to do an ajax request from a page now from mydomain.com then the values would not be the same.

The reason you dont want to use a 1 or a 0 either is for the same reason. An attacker could set up an ajax request that submitted a 1 or a 0 and the request would work.