What is CSRF?
Say you are logged in to your bank account website. Because you are authenticated, you might be able to do something like transfer funds to another account through the website. This is totally fine, because the cookie on your computer verifies that you are authenticated to the website, and the website checks to make sure that your computer is the one holding the session for your current log in. Now say someone knows what kind of post data needs to be sent to perform that same task (which can easily be gleamed by looking at the HTML of the bank’s website). If they could get your computer to somehow submit the right post data to the right place, they could make bank transfers from your computer, using your session. This is how a CSRF attack works.
Often, CSRF attacks will be masked in an image tag because browsers will attempt to load the resource in the src tag. So if I were to send for instance:
<img alt="" src="http://mymaliciouswebsite.org/dobanktransfer.php" />
in an email, or place it quietly on the bottom of a webpage, comment on a website, or whatever, your browser would attempt to load the resource. This means that a CSRF attack is able to execute actions in the unsuspecting user’s browser as though it was performed by them. Additionally, as far as the bank knows, it was a normal action taken on the user’s behalf.
Continue reading Protecting from Cross Site Request Forgery (CSRF) in PHP