CSRF attack protection in login form

checklogin.php

@@ -14,28 +14,32 @@
     $password = sanitize($_POST['password']);
     $remember = (isset($_POST['remember'])) ? true : false ;
 
-    db_connect();
-    $query = "SELECT * FROM vor_admin where username = ? AND password = ?";
+    if($_SESSION['csrf_token'] == $_POST['csrf_token']) {
+        db_connect();
+        $query = "SELECT * FROM vor_admin where username = ? AND password = ?";
 
-    try{
-        $result = $pdo->prepare($query);
-        $result->bindParam(1, $username);
-        $result->bindParam(2, $password);
-        $result->execute();
-        if($result->rowCount() > 0) {
-            $message['message'] = 1;
-            $_SESSION["username"] = $_POST["username"];
-            $date = date("l jS \of F Y h:i:s A");
-            $content = $username." loged in";
-            $ip = $_SERVER['REMOTE_ADDR'];
-            $pdo->query("UPDATE vor_admin SET last_login = '{$ip}'");
-            $pdo->query("INSERT INTO vor_notify(class, content, time, status) VALUES('info', '$content', '$date', 'unread')");
-        } else {
-            $message['message'] = 0;
+        try{
+            $result = $pdo->prepare($query);
+            $result->bindParam(1, $username);
+            $result->bindParam(2, $password);
+            $result->execute();
+            if($result->rowCount() > 0) {
+                $message['message'] = 1;
+                $_SESSION["username"] = $_POST["username"];
+                $date = date("l jS \of F Y h:i:s A");
+                $content = $username." loged in";
+                $ip = $_SERVER['REMOTE_ADDR'];
+                $pdo->query("UPDATE vor_admin SET last_login = '{$ip}'");
+                $pdo->query("INSERT INTO vor_notify(class, content, time, status) VALUES('info', '$content', '$date', 'unread')");
+            } else {
+                $message['message'] = 0;
+            }
+        } catch(PDOException $e) {
+            echo $e->getMessage().'<br>';
+            die();
         }
-    } catch(PDOException $e) {
-        echo $e->getMessage().'<br>';
-        die();
+    } else {
+        $message['message'] = 'csrf';
     }
 }
 

js/login.js

@@ -4,12 +4,15 @@ $(function() {
     var btn = form.find('input[type=submit]');
     var succDiv = alertDiv.find('div[data-msg=success]');
     var errDiv = alertDiv.find('div[data-msg=error]');
+    var csrfAttack = alertDiv.find('div[data-msg=csrfAttack]');
     var emptyDiv = alertDiv.find('div[data-msg=empty]');
 
     form.on('submit', function(e) {
         e.preventDefault();
+
         succDiv.hide();
         errDiv.hide();
+        csrfAttack.hide();
         emptyDiv.hide();
         btn.button('loading');
 
@@ -33,6 +36,10 @@ $(function() {
                     btn.button('reset');
                     errDiv.fadeToggle();
                     $('#box').shake();
+                } else if(data.message == 'csrf') {
+                    btn.button('reset');
+                    csrfAttack.fadeToggle();
+                    $('#box').shake();
                 }
             }, 'json');
         }

login.php

@@ -1,5 +1,7 @@
 <?php
     session_start();
+    $_SESSION['csrf_token'] = md5(uniqid(rand(), true));
+
     if(isset($_SESSION["username"])){
         header('Location: index.php');
     }
@@ -55,15 +57,17 @@
                                         <input id="password" class="form-control black" placeholder="Password" type="password" name="password">
                                     </div>
                                     <div>
+                                        <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>">
                                         <input type="submit" name="submit" value="Login" id="login" class="btn btn-lg btn-success btn-block" id="submit">
                                     </div>
                                 </fieldset>
                             </form>
                         </div>
                     </div>
                     <div id="alert">
-                        <div data-msg="success" class="alert alert-success login-message    " style="display:none"><i class="close" data-dismiss="alert">&times;</i>Login successful. Redirecting…</div>
+                        <div data-msg="success" class="alert alert-success login-message" style="display:none"><i class="close" data-dismiss="alert">&times;</i>Login successful. Redirecting…</div>
                         <div data-msg="error" class="alert alert-danger login-message" style="display:none"><i class="close" data-dismiss="alert">&times;</i>Your username or password is incorrect</div>
+                        <div data-msg="csrfAttack" class="alert alert-danger login-message" style="display:none"><i class="close" data-dismiss="alert">&times;</i>CSRF attack detected!</div>
                         <div data-msg="empty" class="alert alert-warning login-message" style="display:none"><i class="close" data-dismiss="alert" id="emptyMsg">&times;</i>You must enter username and password</div>
                     </div>
                 </div>