CSRF対策(トークン)


  private function _validate() {
    if (!isset($_POST['token']) || $_POST['token'] !== $_SESSION['token']) {
      echo "Invalid Token!";
      exit;
    }
  }

=========================================================

  public function __construct() {
    if (!isset($_SESSION['token'])) {
      $_SESSION['token'] = bin2hex(openssl_random_pseudo_bytes(16));
    }
    $this->_errors = new \stdClass();
    $this->_values = new \stdClass();
  }

=========================================================

      <input type="hidden" name="token" value="<?= h($_SESSION['token']); ?>">

=========================================================
function h($s) {
  return htmlspecialchars($s, ENT_QUOTES, 'UTF-8');
}

〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓

    public static function genToken() {
        return uniqid(mt_rand() . '_', true);
    }

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
CONST MYTOKEN = "_my_token_";

            if(count($_POST) <= 0){
          $token = MyUtils::genToken();
          session_start();
          $_SESSION[self::MYTOKEN] = $token;

          $divideId = 0;
            }else{

        if ($_SESSION[self::MYTOKEN] != $_POST['my_token']) {
            if (/* 本番モード */) {
            //403
          }

          /* 編集モード */
          echo "Tokenチェックエラー"

          unset($_SESSION[self::REGTOKEN]);

                }else{
                      $token = $_POST['register_token'];
                }
            }

            //ログイン成功
            if($divideId == 1){
        $statusCode = 302;
        $targetUrl  = "http://www.example.com/";

        header("HTTP", true,  $statusCode);
        header("Location: " . $targetUrl );
      }
        }