I have a url with a $_GET parameter that allows deleting of a record in my database, eg. localhost/app/delete.php?id=4843.
The delete.php page only checks to see if the user is signed in and that they own the db record. Obviously, this creates the perfect opening for a CSRF attack. Should I generate the nonce when the page loads, or do I somehow do it only when the user clicks the URL? How would I?
Here's my code so far:
function nonce_create() {
$_SESSION["nonce"] = random_bytes(12);
$_SESSION["nonce_time"] = time();
}
function nonce_verify() {
$time = time() - 90; /* give browser 90 seconds to load */
if (isset($_SESSON["nonce"]) && strlen($_SESSION["nonce"]) == 7 && $_SESSION["nonce_time"] > $time) {
$_SESSION["nonce"] = null;
}
else {
header("location: index.php");
}
}
The nonce_create() function above would be called when loading the page where there are links to the delete.php page, and the nonce_verify() function would be called when the nonce needs to be verified and removed on delete.php.