CSRF ... help

Yii 1.1 General Discussion
1

Hello,

I was in the process of trying to secure my app and added the CSRF component to it as stated in the guide,

so it does add the token to my forms etc …

but I don’t understand why I still am able to repeat a Post request with Curl or Charles when I know the value of the token.

I thought the token was supposed to change each time a form is generated so that only a request coming from my form would be successful

I guess I’m not understanding how this works …

would someone enlighten me ?

thanks a lot

2

I’ve not used that function myself but do add something like this (at it’s simplest) to the controller of my view file:




session_start();

$_SESSION['token'] = Yii::app()->User->encrypt(microtime());

Then in your form within the view file just set a hidden input field to the value in “$_SESSION[‘token’]”.

EDIT: … of course you’ll then need to check $_POST[‘token’] == $_SESSION[‘token’] in the form processing script.

There’s probably much more elegant ways to do the same thing but this works for me :)

3

Thanks,

That’s what I had in mind,

as I had used the Security component from the CakePhp Framework which does this for you

Is there a built-in mechanism to prevent mass form submission ? I mean that I am confused as to why I was able to re-post a form with the token produced by the application.

I guess I’m not that clear …

4

Yii’s CSRF functionality doesn’t generate a different token for each form submission. Instead, it generates a CSRF token for a user, stores it in a cookie, then appends the same CSRF token to each form tag. Then when the application recieves a POST request it makes sure the cookie matches the posted CSRF token. There is no way for an external site to determine the cookie’s value, so cross domain POST requests won’t work and your application becomes csrf proof. I believe the functionality you’re talking about to prevent form resubmissions falls under a different name to CSRF protection.

5

Thanks for your comprehensive explanation. Never needed CSRF but finally i understand the concept ;).

6

Thanks a lot

What I am trying to achieve is prevent form tampering, which is not the same indeed

7

Personally, I turn it on the second I start building an app. No matter what you’re building it’s better to be secure from the start. Adding it later can be a pain as you have to go back to all your ajax buttons and make sure you’ve set the csrf attribute to true.

8

Hi everyone, I wonder if ye guru’s out there might tell me if the following is a secure way of doing things.

Firstly, I am attempting to use Angular.js as a front end

In order to prevent csrf I am using an [size=“2”] idea from Dan Mosher’s Angular Security Video: https://www.youtube…-Id54?start=720[/size]

Basically I am injecting the csrf-token into the page as a meta-tag (using yii’s Yii:app()->request->cjsrf_token), and then sending it along with the login request.

(I got the cjsrf_token, by creating my own CHttpRequest class - from here: http://www.yiiframew…+rf#entry175284)

For reference, I am forcing yii to load first before my angular app loads by telling [size=“2”]my SiteController to use the layout ‘webroot.app.index.php’ (which is my angular app’s index page). Then when SiteController tries to load its site/index, it actually loads my angularApps index instead. I got that idea from: [/size][size=3]https://github.com/wlepinski/angularjs-yii-boilerplate/blob/master/protected/components/Controller.php[/size]

This way, Yii first loads, but then my site controller redirects to the angular app (in webroot/app/index.php)

Now since Yii is loaded, I can access the csrfToken and inject it into the angular apps index page:

[size="2"]


<meta name="csrf-token" ng-init="csrf_token='<?php echo app()->request->csrfToken;?>'">

[/size]

Now that it is loaded into Angular, the login page can send it back to yii for verification.




 $scope.user = {

                username: "myusername",

                password: "mypassword",

                YII_CSRF_TOKEN:$scope.csrf_token

            };

Yii seems to valid this way… but, my question to you is – is this secure? (providing I am using ssl?)