I have a PHP application where pages are loaded using jQuery/ajax. My problem is, I need to include a per request ANTI CSRF Token.
To put it another way: When I make the first request, the token needs to be renewed for the next request. The problem is: How do I set the new token in the form's hidden field?
I kept a common hidden field for token and thought of changing its values. But the issue is: How do I set the new Token?
I can't do it in ajax. If the user itself is compromised then Token fails.
Here is the sample code
$key=md5(rand(1,9999).md5(date("Ymdhisu")).rand(1,9999));
$token=md5(getIpAddress().rand(1,9999).CM_SALT_CSRF);
$hash_key=$key.$token;
$hash_key=hash('sha512', $hash_key);
$session_key=$hash_key;
$_SESSION['CSRF_TOKEN']=$session_key;
$_SESSION['KEY']=$key;
then I set $token in hidden field.
Now after I submit a request with TOKEN and after processing will generate and set a new CSRF Token. Since its in 2.0 how do I set the new token value to the hidden field ?
If I set the new token via requesting some page and JavaScript then it can also be done via CURL right ?.
Hope am I clear ???
EDIT 1
my scenario is, what if the user itself a hacker, created fake account using fake email id. then he/she can use curl request from localhost by forging referrer and other header fields to my site while he/she logged in my site in another tab. the user can able to get csrf token from the curl response !? correct me if am wrong.