I am reviewing the security of my web application. Viewing all possible cases of vulnerabilities. Now I am with the 'Cross Site Request Forgery' attacks.
Studying them this way, I see that its purpose is to modify some parameter of a script by means of a GET request hidden in an image, for example:
<img src='process.php?action=logout'>
With this you execute a script that is included in your directory, and with which you close the session of the users, making a user if you access a site that has this image, you will close the session of the application.
My question is whether this can be avoided by putting the functionalities that interact with the server (php files) outside the root directory.
I have also seen that a token is usually used to verify that whoever is accessing a certain file is validated on the server. I have implemented sessions that validate that there is a session started with the user's name, validated in the database, but I think it is not as secure as the token:
if (isset($_SESSION['username'])) {}