In this article, I will teach you how to add CSRF token for admin login page.
- Add a hidden CSRF token in the admin login page to defend against CSRF attack. System will validate the CSRF token when a request is sent to server to login into the administrator panel.
- If the client token is different with the token saved in the server, the request will be terminated and a error feedback will be shown in the popup window.
Steps to apply this security plugin for your admin login page
Step 1. Open admin/includes/jsons/login.php to edit as follow:
- Find following code:
if ( !empty($_REQUEST['user_name']) && !empty($_REQUEST['user_password']) ) {
- add following code before it:
if ( ! isset($_POST['token']) || ! $osC_Session->validateToken($_POST['token'])) {
$response['success'] = false;
$response['feedback'] = 'Invalid token!';
exit($toC_Json->encode($response));
}
Step 2. Open admin/templates/default/login/login.php to edit as follow:
- Find following code:
{xtype: 'textfield', name: 'user_password', fieldLabel: '<?php echo $osC_Language->get("field_password"); ?>', inputType: 'password', allowBlank:false},
- Add following code after it:
{xtype: 'textfield', name: 'token', inputType: 'hidden', value: '<?php echo $_SESSION["_token"]?>'}
Done. I strongly recommend you to apply this plugin for your admin panel. This will prevent attacher accessing your admin panel.
Looking for quality TomatoCart hosting? Check out Arvixe Web Hosting
