Location: PHPKode > projects > 4images > 4images/docs/CSRF.english.txt
  ==========================================================
                       CSRF protection
  ==========================================================

  Since version 1.7.9, 4images has automatic protection
  against Cross-Site Request Forgery (CSRF) attacks.
  You'll find general informations about CSRF at:
  http://en.wikipedia.org/wiki/CSRF

  ----------------------------------------------------------
  How to enable the CSRF protection:
  ----------------------------------------------------------

  The CSRF protection is enabled by default.

  -- Advanced control of the CSRF protection ---------------

  You can control the CSRF protection in your config.php with
  the following configuration variables:

  - $csrf_protection_enable = 1;
      A value of 1 enables the CSRF protection, 0 disables it.
      Default value is 1.

  - $csrf_protection_frontend = 1;
      A value of 1 enables the CSRF protection for the
      frontend, 0 disables it.
      Default value is 1.

  - $csrf_protection_backend = 1;
      A value of 1 enables the CSRF protection for the
      backend (Admin Control Panel), 0 disables it.
      Default value is 1.

  - $csrf_protection_expires = 7200;
      Amount of seconds a token is valid.
      Default value is 7200 (2 hours).

  - $csrf_protection_name = '__csrf';
      Name of input field (hidden) which contains the token.
      Default value is '__csrf'.

  - $csrf_protection_xhtml = 1;
      A value of 1 creates the input field (hidden) as
      valid XHTML, 0 as normal HTML.
      Default value is 1.

  ----------------------------------------------------------
  CSRF protection for older versions of 4images:
  ----------------------------------------------------------

  1. Download the latest version of 4images and copy the file
     includes/csrf_utils.php from the zip to your 4images
     installation.

  2. Open global.php and search for the following line:

         @include(ROOT_PATH.'config.php');

     Insert the following code ABOVE this line:

         // Initialize CSRF protection configuration
         $csrf_protection_enable      = 1;
         $csrf_protection_frontend    = 1;
         $csrf_protection_backend     = 1;
         $csrf_protection_expires     = 7200;
         $csrf_protection_name        = '__csrf';
         $csrf_protection_xhtml       = 1;

     In the same file, search for the line:

         include_once(ROOT_PATH.'includes/captcha_utils.php');

     Insert the following code BELOW this line:

         //-----------------------------------------------------
         //--- CSRF protection ---------------------------------
         //-----------------------------------------------------
         include_once(ROOT_PATH.'includes/csrf_utils.php');

  3. Open includes/page_header.php and search for the
     following line (at the end for the file):

         ?>

     Insert the following code ABOVE this line:

         if ($csrf_protection_enable && $csrf_protection_frontend) {
           csrf_start(true);
         }

  4. Open admin/admin_global.php and search for the
     following line:

         include_once(ROOT_PATH.'admin/admin_functions.php');

     Insert the following code BELOW this line:

         if ($csrf_protection_enable && $csrf_protection_backend) {
           csrf_start();
         }
PHPKode Newsletter X is easy to install and configure on the most servers. Try now!
Return current item: 4images