Return to Question

Having Just Read These Answers: CSRF implementation => SO Quest. I might change it to use: openssl_random_pseudo_bytes(16) or a combination.

Having Just Read These Answers:
CSRF implementation => SO Quest.
I might change it to use: openssl_random_pseudo_bytes(16) or a combination of both.

Another tutorial that I watched used uniqid() wrapped inside of an MD5 hashing function, but from the Documents and articles that I have read MD5 is deprecated & wrapping uniqid inside of a hashing function destroys the purpose and intent of uniqid() which is to create a guid or as close to possible to a one time unique number.. Another part used mcrypt_create_iv() which is also deprecated...

Other Questions That I can find related to CSRF & Token generation:
Update Soon.

Also Just Downloaded Some generic Code from PhpJabbers, But Noticed when studying there code they have included: @session_start() instead of the normal session_start() that I see everywhere else. Does anybody Know what the @ does? Google or PHP Docs have no reference to this?

1. Is $_SESSION['Tokens']; a fixed list of variables that I can call upon to do certain jobs? Or can I make my own Up like $_SESSION['MyStoredSumthing']?

2. Are all $_UPPERCASE considered GLOBAL.

3. Currently I have My CSRF & Cookie Codes, in the head of my document, That is included in every single page. Is this bad practice as every time a page is requested its going to be running through my php script & creating or over-riding The CSRF and/or cookie with either the same value or a different new value. if its being stored in the SESSION which makes it available to all subsequent pages. Then calling this php every page load is wrong? is this correct? I'm trying to build my pages more towards MVC but still gotta go through and get rid of all the mysql_functions.

4. Mysql_functions are deprecated. Does this include mysqli?

Also Just Downloaded Some generic Code from PhpJabbers, But Noticed when studying there code they have included: @session_start() instead of the normal session_start() that I see everywhere else. Does anybody Know what the @ does? Appart from Suppressing Warnings and Errors... Google or PHP Docs have no reference to this?

1. Is $_SESSION['Tokens']; a fixed list of variables that I can call upon to do certain jobs? Or can I make my own Up like $_SESSION['MyStoredSumthing']?

2. Are all $_UPPERCASE considered GLOBAL.

3. Currently I have My CSRF & Cookie Codes, in the head of my document, That is included in every single page. Is this bad practice as every time a page is requested its going to be running through my php script & creating or over-riding The CSRF and/or cookie with either the same value or a different new value. if its being stored in the SESSION which makes it available to all subsequent pages. Then calling this php every page load is wrong? is this correct? I'm trying to build my pages more towards MVC but still gotta go through and get rid of all the mysql_functions.

4. All Mysql_functions are deprecated. Does this include mysqli?

<?php 
 session_start();
 if (NULL || empty($_SESSION['csrf_token'])){ // Cross Site Request Forgery ::(Token.). 
 $_SESSION['csrf_token'] = bin2hex(random_bytes(128)).= md5(md5(1221126789shdncfts653kl));
 } 
?>

<?php
 error_reporting(E_ALL);
 header('Access-Control-Allow-Origin: *'); // Remove this when Uploaded to live server. only here for CORS Warnings.
 session_start();
 $GuestUsr = "BaseUsr";
 session_register('GuestUsr');
 if (NULL || undefined || empty($_SESSION['csrf_token'])){ // Cross Site Request Forgery ::(Token.). 
 $_SESSION['csrf_token'] = bin2hex(random_bytes(128)).= md5(md5(1221126789shdncfts653kl));
 } // Shouldn't use MD5 anymore apparently.
 $_SESSION['hits']++; // Increment a very Basic Page Counter.
 $_SESSION['in_Session'] = '1';
 $_SESSION["is_guest"] = true;
 $_SESSION["loggedIn"] = false;
 $_SESSION["has_priv"] = false;
 if($SESSION["is_guest"] = true){
 $_SESSION["loggedIn"] = false;
 } elseif ($_SESSION["loggedIn"] = true) {
 $_SESSION["is_guest"] = false;
 $_SESSION["has_priv"] = 1; // Will be different privaledge levels. 1>7...
 };
 $csrf = bin2hex(16);
 $cookie = bin2hex(32);
 $hashish_cookie = bin2hex(64);
 if (isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] == true) {
 echo "Welcome to the member's area, " . $_SESSION['username'] . "!";
 } else {
 echo "Please log in first to see this page.";
 }

<?php 
 session_start();
 if (NULL || empty($_SESSION['csrf_token'])){ // Cross Site Request Forgery ::(Token.). 
 $_SESSION['csrf_token']= bin2hex(random_bytes(28).openssl_random_pseudo_bytes(7));
 } 
?>

<?php
 error_reporting(E_ALL);
 header('Access-Control-Allow-Origin: *'); // Remove this when Uploaded to live server. only here for CORS Warnings.
 session_start();
 $GuestUsr = "BaseUsr";
 session_register('GuestUsr');
 if (NULL || undefined || empty($_SESSION['csrf_token'])){ // Cross Site Request Forgery ::(Token.). 
 $_SESSION['csrf_token'] = bin2hex(random_bytes(28).openssl_random_pseudo_bytes(7));
 } // Shouldn't use MD5 anymore apparently.
 $_SESSION['hits']++; // Increment a very Basic Page Counter.
 $_SESSION['in_Session'] = '1';
 $_SESSION["is_guest"] = true;
 $_SESSION["loggedIn"] = false;
 $_SESSION["has_priv"] = false;
 if($SESSION["is_guest"] = true){
 $_SESSION["loggedIn"] = false;
 } elseif ($_SESSION["loggedIn"] = true) {
 $_SESSION["is_guest"] = false;
 $_SESSION["has_priv"] = 1; // Will be different privaledge levels. 1>7...
 };
 $csrf = bin2hex(16);
 $cookie = bin2hex(32);
 $hashish_cookie = bin2hex(64);
 if (isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] == true) {
 echo "Welcome to the member's area, " . $_SESSION['username'] . "!";
 } else {
 echo "Please log in first to see this page.";
 }