-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should cookie should be refreshed for every request #4
Comments
If by cookie, you mean CSRF token (cookies are used for a multitude of objectives), a token should be generated and expired only when consumed (or timed out). It other words, it should behave like a CAPTCHA. You don't need to have one active token in the server side at a time, you probably need many more. Please point to the code for this so that I can understnad. |
Currently its like, token is refreshed for every request. code: https://github.com/mebjas/CSRF-Protector-PHP/blob/master/libs/csrf/csrfprotector.php#L142 By consumed you mean used? |
First of all, $_GET and $_POST can be set for each request. Second, do not unset them, instead set them to an empty array. Unsetting them will break most apps. Third, you have a lot of repeated code. Change your logic to minimize them. Fourth, to the actual point. The way you’re doing it is wrong, it does not allow an application to have more than ONE simultaneus operation running. If you open two tabs, you will always fail on tokens. Only consume a token when its valid, or when it times out. You are also storing the valid token in the cookies! That is totally wrong. You should store all valid CSRF tokens with their respective URLs in session (server-side) instead of in client cookies. Please create an issue for this on GitHub so that we can track. Notice: This message is digitally signed, its source and integrity are verifiable. On Jun 5, 2014, at 2:14 PM, minhaz notifications@github.com wrote:
|
for $_GET and $_POST +1, and I have implemented it. |
for the fourth point, even by using different tokens for each request, we can operate on two or more tabs. The js code, attaches the token at the point where request is made, which means even if I did some other operation in other tab, and token has changed in cookie. the code will pick the latest token and bind it with the current request. And later it will be validated correctly at the server. But still I feel uncomfortable with the concept, of using different tokens for each request. But I do not understand what you mean by consume, are you suggesting cookie shall change for every successful validation of csrftoken? |
For the last point, The whole concept of this method is based on client side cookie |
Also this is already an issue on github. here's the link Minhaz, On Fri, Jun 6, 2014 at 6:14 AM, AbiusX notifications@github.com wrote:
|
The token should be stored in sever session, a copy can be sent to the client for processing, but its the server who defines tokens. We don’t want to let the client define its own tokens (token fixation). Notice: This message is digitally signed, its source and integrity are verifiable. On Jun 6, 2014, at 3:03 AM, minhaz notifications@github.com wrote:
|
Ok we can implement this logic also, that we keep the token as a session variable, send one as cookie header. and validate using session one rather than the cookie one. But considering the type of attack CSRF is. an attacker cannot modify cookie in victims browser, SOP won't permit attacker to do so. For this to work, attacker has to implement something like (xss + csrf) attack. so if attacker can implement xss -> he can still retrieve the token from cookie! So isn't using session token an overhead here? |
@abiusx I'd like to know when should we refresh the token other than in case of timeout? I couldn't get what you mean by consumed? |
Its not that simple. Nowadays XSS/CSRF attacks are very complicated, and its better to be safe than sorry. Notice: This message is digitally signed, its source and integrity are verifiable. On Jun 6, 2014, at 11:58 AM, minhaz notifications@github.com wrote:
|
Consumption happens when a token is validly matched. Then it will be removed from session variables. This is important, because we don’t want a CSRF token to be used twice. Notice: This message is digitally signed, its source and integrity are verifiable. On Jun 6, 2014, at 11:59 AM, minhaz notifications@github.com wrote:
|
Ok, I'll move the validation logic to session. |
SESSION logic implemented! 03921f3 |
Currently the cookies are refreshed for each request that is sent.
Otherwise if we keep token constant until it expires, there is risk of token exposure, in a long run and it can later be used for CSRF attacks.
There are problems involved with refreshing cookies for every request as well, on the client side we need to update tokens added to entities like forms, xhr objects etc as soon as cookie is refreshed.
The text was updated successfully, but these errors were encountered: