Yii Framework Forum: Regenerate CSRF token per each request - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Regenerate CSRF token per each request

#1 User is offline   ManInTheBox 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 75
  • Joined: 17-June 11

Posted 10 February 2012 - 01:51 PM

Hello,

I found that CSRF token in Yii is generated once and stored in cookie.
http://code.google.c...Request.php#863
Cookie will expire when session expire.

If malicious website has your CSRF token from cookie, it can perform POST request and avoid Yii CSRF protection.

Think that CSRF token should be regenerated per each request.

How other frameworks implement CSRF protection:
http://www.senchalab...eware-csrf.html

What do you think?
0

#2 User is offline   phpnode 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 141
  • Joined: 18-April 11

Posted 10 February 2012 - 02:30 PM

how would a malicious website read your CSRF token? If they can do that you have bigger problems to worry about.
0

#3 User is offline   ekerazha 

  • Advanced Member
  • PipPipPip
  • Yii
  • Group: Members
  • Posts: 525
  • Joined: 10-October 08
  • Location:European Union

Posted 10 February 2012 - 03:55 PM

Side note: you can use

'request'=>array(
        ...
        'csrfCookie'=>array(
                'httpOnly'=>true,
        ),
),
...

to mitigate the possibility of stealing the cookie.

Yii user #37
1

#4 User is offline   ManInTheBox 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 75
  • Joined: 17-June 11

Posted 10 February 2012 - 07:02 PM

View Postphpnode, on 10 February 2012 - 02:30 PM, said:

how would a malicious website read your CSRF token? If they can do that you have bigger problems to worry about.

Yes, you're right about that (you're XSS-ed and prevention was too trivial), but that's not the point of this topic... point is CSRF token validation. Just imagine they have your CSRF token and they can avoid your CSRF protection.

@ekerazha
Think that's ok.

I would rather suggest session for CSRF token storage than cookie. Or regenerate token on every request.
0

#5 User is offline   phpnode 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 141
  • Joined: 18-April 11

Posted 11 February 2012 - 03:04 PM

The problem with regenerating the token on each request is this scenario:

1. I open www.example.com and start writing a long, long blog post.

2. In the middle of writing the post, I notice there are some comments on another post pending approval, I right click the link and open it in a new tab.

3. I approve some comments and close that tab

4. I continue writing my blog post, 10000 words later I click "Publish"

5. Since my CSRF token has expired, I get an exception when I post and I lose all my work.


This also applies to storing the CSRF token in the session. At least if a session expires while the user is filling out a form the CSRF token won't expire, and we can store their submission and post it after they log back in. If the CSRF token is in the session, we won't be able to trust that that input really came from the user.


The fact is, if a malicious website can read your cookies, you're already screwed and CSRF protection is only going to slow them down, not stop them.
0

#6 User is offline   twisted1919 

  • Master Member
  • PipPipPipPip
  • Yii
  • Group: Members
  • Posts: 634
  • Joined: 23-October 10
  • Location:Romania

Posted 19 February 2012 - 05:36 AM

If you regenerate the token on each request i would like to see you working with multiple ajax calls ;) you will pull your hair out, i guarantee it.
1

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users