The purpose of this website is to be able to test if a Cross Site Request Forgery attack(CSRF) is possible and how can I defend against it. To be able simulate the CSRF attack, I will be using the malicious folder which contains add_user.html which is a way to attack the website with CSRF and has the protected_user.html which contains a way to defend against CSRF attacks which uses different versions of the website code for both the html forms.
NOTE: the add_user file is using the website code that came from website_lab2 with no modification while protected_user uses the lab3_secure_web code which uses the new website code with a security modification.
To be able to protect against a CSRF attack, the website code will need to use a seesion id which to do so we need to create a cookie using the $_COOKIE['PHPSESSID'] command, which will be specific to the user that is logged in. This session id will carry over throughout the entire website till the user logs out, but the way we use the session id, is that in the create_adminv2.php we always pass the session id as a hidden input type which will be checked for when we register an admin account. Assuming an attacker tries to put in a malicious account in the admin DB, they wouldn't be able to due to them not having a session id or the specific session id to that user that is currently signed in.