when should I use csrf protection?

Hi all,

I can’t figure out if I need the csrf protection or not…

I don’t understand from what it protects me?

I don’t have actions like givemoney?to=someone&amount=10000

All done via post requests, and most of it via ajax.

I have no problem to add the csrf token to all ajax requests…

I just don’t understand how it protects me if at all and from what?

What is the problem to get the token from the form, and than start spam?

I did a little test, the token don’t change every time…

For example I have a login form via ajax , I validate login, and logout

all the time the token was 1ca5fd998081b9cd42beaa9d69ec27ad715e9862

and even after logout it don’t change…

so I don’t get the point

Some one ?

The CSRF-protection protects you against Cross-site request forgery.

It doesn’t matter if it’s GET or POST, an attacker might trick one of your users into submitting a form that directs to your site, for example by using javascript on the evil site. So I’d say, if you can: enable it.

The idea behind a CSRF-token is that an attacker cannot read the token you generate for a visitor due to Javascript’s same origin policy so the attacker cannot send a fake request using the victim’s browser.

Should the token be regenerated every time?

cause I see it’s the same all the time for browser session… so whats the point?

It’s not possible to create a new token on every request. Generating a new one on every request would mean the framework would have to keep track of all generated tokens to verify if a request was valid and not from an attacker (think how this could go wrong when using tabs on the same site).

It’s also not necessary to generate a new one on every request, as long as the one that is generated can not be stolen by a 3rd party (and it can’t), it’s safe for verifying requests.

The bottom line is that Yii handles it for you.

I always enable it.