Yes, yes, yes! This is what I was looking for. Thank you!

Loved it. I'm yet to start this series but ran into CSRF and you explained it very well! Thank you !

Hi Gio, thanks for this lesson. Learning about theses security threats and how to deal with them is so valuable. I can't wait to see the XSS lesson. And in all we learn more and more about twig, using middlewares etc. The Guard class... I think this is the first time I am really understanding a vendor's code and how the functions we call from them work. Thanks Gio.

Thanks and waiting for more security lessons impatiently. Keep it up this great work.

Excellent tutorial as always

Yes Gio you the best and Boss !!!

Great tutorial buddy 👍

I noticed that you demonstrated how to generate and validate CSRF tokens in PHP to protect against CSRF attacks. However, I'm worried that this approach may not be sufficient to prevent attacks if an attacker manages to set a session on their malicious page. If an attacker can trick a user into visiting their malicious page, couldn't they potentially exploit the user's active session to perform unauthorized actions? For example, if the user is logged into a website with an active session and then visits the attacker's page, couldn't the attacker use JavaScript to send requests with the user's session cookies, bypassing the CSRF protection? Thanks!

learnt a lot from you, thanks

What's the best way to centralized csrf tokens in a distributed environment with a load balancer?

Hi, what if create a simple function in Session, (instead of this complicated Slim solution) that will generate long random token(letters-numbers) and passing that token to a hidden input field? And after login compare the Session token and the hidden input value? Becouse i wanna practice without frameworks.

I have a little problem with persisting token in storage propably. After generating, token is saved in session indeed and I've checked it, but when it comes to validate that token, I always get failed CSRF check and after checking session in moment of validation, there is only "csrf" key in array, but no data in it. Could it be session's fault? Even after changing branch to P10_End or P10_Start and following your steps, nothing changes. I feel like it's my job to find answer but I'm stuck a bit needing little guide. Thanks a lot for another great video and for sharing with people your knowledge 🙌

Create lesson again, Gio. Thanks. Is is necessary to still pass the token key/value pair to the template, when you generate and pass the input fields too? We don't seem to use those global values anymore at this point. Why not use a view to generate only those two inputs, so the html is all kept in views and in one spot? Can a mallicious script get access to the hidden fields and still break this token system? It still seems fragile having to add the token to the html, like adding a password openly in the html. We can even use inspector to access it. The cooky options will prevent a cookie from being accessed, but html would still be accessible. That part doesn't seem so secure. Am I missing something?

شكرا 💙💙

Great. Like clockwork. Let me wear my gloves 😜

Thanks for the in-depth video. However, it was almost painful to watch you inlining the HTML inputs at the end. Since you already have the magic of Twig at hands, I'd recommend to simply use the Twig include tag with a another file where you put the two HTML tags in. Way cleaner! 😉

Is this application in Laravel framework or raw PHP?

When will we start laravel series?

Can we have a mezzio serries please??? 🤓