Is this enough for CSRF protection?

If it's unique to every user, then it should be enough. Even if it's the same for duration of user session, it's still OK, but I would suggest to re-generate it periodically. Also you may want to use different tokens per each form.

For example, if you have login form and comments form, it's better to use different tokens for them, but it's not 100% necessary.

If it's unique to every user, then it should be enough. Even if it's the same for duration of user session, it's still OK, but I would suggest to re-generate it periodically. Also you may want to use different tokens per each form.

For example, if you have login form and comments form, it's better to use different tokens for them, but it's not 100% necessary. Why do you assume that just because someone says your site is vulnerable, it has to do with CSRF attach? They are so many other possible vulnerabilities.

Maybe your web server outdated and vulnerable, maybe the php version is not the most recent one. Maybe the user was able to login to your server via ssh or telnet. Maybe the user was able to guess admin password.

Maybe to let people login by cookie and store login credentials in cookies. There are just too many things other than CSRF that could be exploited. There is also a possibility that the user is wrong or does not know that he is talking about or maybe he just wants to make your nervous.

What I think you are missing is limiting token to small window of time. You should have a look at Chris's CRSF-article. A quick summary: a CSRF attack must include a valid token (anti-CSRF token) in order to perfectly mimic the form submission.

The validity of the token can also be limited to a small window of time, such as five minutes If you use a token in all of your forms as I have suggested, you can eliminate CSRF from your list of concerns. While no safeguard can be considered absolute (an attacker can theoretically guess a valid token), this approach mitigates the majority of the risk. Until next month, be safe.

From : en.wikipedia.org/wiki/Cross-site_request... you can additional decrease time of life of cookie check the HTTP Referer header and captcha - but not every user like it however your acion with secret key is still better than nothing...

Each time they load the page, it changes IF it's not already set. Well there is your problem. Once a token is retrieved all the actions can be easily performed further one.

I usually implement the token to be valid for one single request and afterwards regenerate it.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.