I've created csrf_token and stored in session variable. while the form submission checked post variable with the session variable. It works perfectly in HTTPS but not in HTTP incognito window.
I just figure out this problem it's because of session value is varying each time on the HTTP request.
give me suggestion to solve this issue. Thanks!
if (! isset($_SESSION['csrf_token'])) {
$_SESSION['csrf_token'] = md5(uniqid());
}
if(isset($_POST['token']))
{
if (($_POST['token'] === $_SESSION['csrf_token'])) {
echo "match";
}
else{
echo "mismatch";
}
}