Yii Framework Forum: Extended Csrf Tokens - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Extended Csrf Tokens Rate Topic: -----

#1 User is offline   someguy 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 1
  • Joined: 10-April 13

Posted 10 April 2013 - 10:06 PM

So currently I've subclassed CHttpRequest so I can override getCsrfToken with the following, I think it would be a good addition to the core Yii framework

public function getCsrfToken($extra = NULL)
	$csrf = parent::getCsrfToken();
		$csrf = sha1($csrf.$extra);
	return $csrf;

The purpose of the code is a CSRF token can be combined with a piece of information to get a unique token for that user for a specific action.

If somebody got a hold of a regular token they could potentially make a user perform all actions with that token. If the extended CSRF token is compromised then it's not as big a deal because it's only unique to a specific action.

For example, if a user was to delete item 185, the CSRF would be $request->getCsrfToken(185), and then the same when validated, meaning it only has a single use of deleting item 185 and would not work on any other items, forms, etc etc

#2 User is offline   twisted1919 

  • Master Member
  • PipPipPipPip
  • Yii
  • Group: Members
  • Posts: 702
  • Joined: 23-October 10
  • Location:Romania

Posted 29 April 2013 - 01:14 PM

but it will work for user with id 185 / post with id 185 / comment with id 185.
So it doesn't really makes any sense for me. If you want to extend this in the proper way i thing the entire uri should be hashed, not just a part of it mainly not the id which can be used for other resource.
Anyway, bottom line is that you don't want a csrf token, you will want a nonce in this case.

Share this topic:

Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users