Protection from csrf

Question

I was trying to use the form key method for csrf protection here http://net.tutsplus.com/tutorials/php/secure-your-forms-with-form-keys/ . But it applies on 1 form on a page only . My question is

Suppose i have a form

<form action="action.php" method="post">
<!-- code here -->
</form>

and My php i'm using

<?php
if(isset($_POST['submit']) && isset($_SESSION['user']))
{
//do something
}

I'm already using session user to confirm he is logged in and and the form is being submitted by my site as session has been made on my site. Do i have to use csrf protection method too?

Answer 1

Do i have to use csrf protection method too?

Yes, because this is exactly why CSRF is dangerous; the cookies of a "victim" are unknowingly sent to the server to perform a particular action on behalf of the "hacker" when they submit a modified form on another site, disguised by a cute kitten photo (for example).

When the disguised form is submitted, your site can't tell the request apart from a legit one, because the authentication will be valid. Adding a CSRF token makes sure that the form was submitted from a page on your site.

When the session is created you also generate a CSRF token. This token is then used for all the forms on your site for the duration of the session; doing this prevents problems with having multiple tabs open at the same time.

Even if the form is copied from your page, including a CSRF token, that token would be stored in a session that doesn't belong to an authenticated user.