csrfprotectionmodelbehavior

This is another common attack against web sites and applications.
5 followers

Overview

This is another common attack against web sites and applications. Forms designed to perform tasks such as user registration or adding comments are vulnerable to this attack.

The idea is to prevent the form values from being sent outside our application. To fix this, we generate a random nonce (token) in each form, add the token in the session and then validate the token once the form posts data back to our application by comparing the stored token in the session to the one submitted by the form:

ACTION

public function actionLogin()
{
    $loginForm = new LoginForm;
    if (isset($_POST['LoginForm'])) {
           $loginForm->attributes = $_POST['LoginForm'];
          if (
               $loginForm->validate(array('username', 'password')) && 
               $loginForm->login()
           ) {
                $this->redirect(array('/user/index'));
          }
     }
     $loginForm->createToken(true);
     $this->render('login', array('loginForm' => $loginForm));
}

VIEW

$form = $this->beginWidget('CActiveForm');
......
echo $model->createTokenField(); 
.......
$this->endWidget();

BEHAVIOR

ADD BEHAVIOR TO MODEL

"CSRFProtectorBehavior" => array(
  "class" => 'CSRFProtectorBehavior',
  'tokenErrorMessage' => Yii::t('app', 'Validacijski token nije ispravan')
)

Total 2 comments

#13924 report it
Igor Ivanovic at 2013/07/06 08:35am
Yes this is build-in

Yii store name YII_CSRF_TOKEN eg value e1453217f415675a1fa713884719afb812e2faa8. This behavior create new hashed name and value LoginForm[0f48fb7029c79be8888faa894ca5b251] => 65247b49f2ca7f84d71b76229d0df5ea

#13908 report it
nineinchnick at 2013/07/05 06:08am
This is build-in

I thought that Yii got this in the core. See CHttpRequest.enableCsrfValidation.

How this behavior is different?

Leave a comment

Please to leave your comment.

Create extension