Regenerate CSRF token per each request
Posted 10 February 2012 - 01:51 PM
I found that CSRF token in Yii is generated once and stored in cookie.
Cookie will expire when session expire.
If malicious website has your CSRF token from cookie, it can perform POST request and avoid Yii CSRF protection.
Think that CSRF token should be regenerated per each request.
How other frameworks implement CSRF protection:
What do you think?
Posted 10 February 2012 - 07:02 PM
Yes, you're right about that (you're XSS-ed and prevention was too trivial), but that's not the point of this topic... point is CSRF token validation. Just imagine they have your CSRF token and they can avoid your CSRF protection.
Think that's ok.
I would rather suggest session for CSRF token storage than cookie. Or regenerate token on every request.
Posted 11 February 2012 - 03:04 PM
1. I open www.example.com and start writing a long, long blog post.
2. In the middle of writing the post, I notice there are some comments on another post pending approval, I right click the link and open it in a new tab.
3. I approve some comments and close that tab
4. I continue writing my blog post, 10000 words later I click "Publish"
5. Since my CSRF token has expired, I get an exception when I post and I lose all my work.
This also applies to storing the CSRF token in the session. At least if a session expires while the user is filling out a form the CSRF token won't expire, and we can store their submission and post it after they log back in. If the CSRF token is in the session, we won't be able to trust that that input really came from the user.
The fact is, if a malicious website can read your cookies, you're already screwed and CSRF protection is only going to slow them down, not stop them.
Posted 19 February 2012 - 05:36 AM