Yii Framework Forum: Csrf Token And (Client Side) Cacheing - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Csrf Token And (Client Side) Cacheing Rate Topic: -----

#1 User is offline   Cstdenis 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 21
  • Joined: 22-March 11

Posted 28 November 2012 - 07:43 AM

I am running into a problem with the CSRF protection and client side caching.

I use client-side browser caching of some of my pages using the last-modified header (though the CHttpCacheFilter extension). This is causing problems for some users with the comment box on those pages having outdated CRSF tokens.

Scenario:
1. User visits page which gets cached in their browser.
2. User returns to page later (after the csrf token cookie has expired). Sees cached version of page.
3. User attempts to post comment, gets CSRF error because the cached page's token does not match their cookie.


My first thought on fixing this (without eliminating the caching) is to use ajax to retrieve the new token and update the form. Is this safe to do, or would an ajax query to retrieve the token be a big security hole making the csrf protection moot? The same-origin policy may make it safe, but I'm not sure.


Also, any other better solutions to this problem?
0

#2 User is offline   Cstdenis 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 21
  • Joined: 22-March 11

Posted 04 December 2012 - 03:59 PM

Bump
0

#3 User is offline   redguy 

  • Master Member
  • PipPipPipPip
  • Yii
  • Group: Members
  • Posts: 771
  • Joined: 02-July 10
  • Location:Central Poland

Posted 04 December 2012 - 04:46 PM

I guess if you want to use csrf protection you cannot use client cache... you could try page caching in Yii.
Using ajax is not better because you still have to call php script.
red
0

#4 User is offline   le_top 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 279
  • Joined: 08-June 10
  • Location:France

Posted 25 June 2013 - 05:48 AM

Anybody finding this page looking for a solution: find a solution here: http://www.yiiframew...he-client-side/ .
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users