Token value per session about csrf-guard HOT 14 CLOSED

@s3b4stian, thank you for your reply. I think it's not necessary to separate the token name and value from the $_SESSION['CSRF'].

If we have to separate this, it's okay to do that 👍.

from csrf-guard.

Hi @playinteractive , thank you for your reply. According to the source code on this repository, the unset function will reset correctly the $_SESSION['CSRF'] after calling the validate method.

After calling the validate method, it will also call the doChecks and deleteToken methods.

I think you will generate the new token before calling validation method.

@s3b4stian, perhaps we can let the deleteToken public method or develop the resetToken method to complete this work? I think we should not call the validate if we only want to reset the CSRF token 👍 .

Also, this feature usage should be added in README.md.

from csrf-guard.

Ok! Perfect!

To reduce the length of the session file, try to set the class like this:

$csrf = new Linna\CsrfGuard(8, 32);

Todo

• I next release I will add a cleaning mechanism that, when called delete older and surely unused tokens, preserving latest added.
• README.md file need an update for explain in more exaustive way how the token storage works.

from csrf-guard.

@s3b4stian, thank you for your reply. I think it's fine to implement new features for my previous comment.

If having any problems, please let me know and I will help you!

from csrf-guard.

Great, thanks @s3b4stian and @peter279k

Cheers!

from csrf-guard.

@playinteractive, thank you for your reply.

According to the current approach. the token name and value are stored in the $_SESSION['CSRF'] associate array.

I think you want to separate this associate array and they possibly will be the $_SESSION['token_name'] and $_SESSION['token_value'] ?

I think it can be possible, but this is the small change or feature. The decision that it's up to the @s3b4stian.

Perhaps it can be the optional method to let developers decide to store them together or separation 👍 .

from csrf-guard.

Thanks for the question!

Yes should be possible but isn't the scope of csrf token.

Token should be used on forms where the user do a dispositive action, a delete a modify or an update. On read action it should not be necessary.

Set up the token only for forms, look on the OWASP website for more information about this time of web attack!

from csrf-guard.

Reflecting on the space occupied, I could save in session, only the hash of the name and token value pair in order to save memory or disk space.

I have to try the change.

However it considers the use of the token only for the forms.

from csrf-guard.

Hi peter279k and s3b4stian,

Thanks for your reply. What I mean is this (extracted from the sess file):

CSRF|a:34:{s:21:"csrf_df0336966fbc4caf";a:2:{s:4:"name";s:21:"csrf_df0336966fbc4caf";s:5:"value";s:64:"9f72afccf70dea1f6ac95dff0a40260ca638fd26d41bde8260154523494cb620";}s:21:"csrf_cae14e4ac83acf1c";a:2:{s:4:"name";s:21:"csrf_cae14e4ac83acf1c";s:5:"value";s:64:"c91af11bfd228d40d60248220ff6dbcf7f2819798d6f49fd73f74be82ff08bc6";}s:21:"csrf_1b791c1958f5d44d";a:2:{s:4:"name";s:21:"csrf_1b791c1958f5d44d";s:5:"value";s:64:"ff9aa8165f6516771081737e2b9208c35ff46e2e137172e9e031988d6b1ace80";}s:21:"csrf_9b1ea1e843d96dd6";a:2:{s:4:"name";s:21:"csrf_9b1ea1e843d96dd6";s:5:"value";s:64:"e713b0f4ca1452e2664b4b42ea19a8eae8a8cb4c74b4ecfe5269624812f35828";}s:21:"csrf_b6ede12d086c70d6";a:2:{s:4:"name";s:21:"csrf_b6ede12d086c70d6";s:5:"value";s:64:"4d62f9822b71e4a78dfba8f25b74fea898c3b90f5518f9898950e883e32db392";}s:21:"csrf_55d1f890e320b1a4";a:2:{s:4:"name";s:21:"csrf_55d1f890e320b1a4";s:5:"value";s:64:"44100f5007ae1a3b6bf6d2647d985e79294a1ce8304da3344523cbaf3d36cfbf";}s:21:"csrf_f48432f4e5742a7f";a:2:{s:4:"name";s:21:"csrf_f48432f4e5742a7f";s:5:"value";s:64:"49bee8c11e2287d0a5165a23186616633e583fe446cb6ffc1626f5d483bf9300";}s:21:"csrf_70f3168f30e2b7ee";a:2:{s:4:"name";s:21:"csrf_70f3168f30e2b7ee";s:5:"value";s:64:"5c26497fc4b550820b4572aa9d63dee485df84e80d5f4c70faddf7bfba0d840e";}s:21:"csrf_4e8ea3e7954d87c2";a:2:{s:4:"name";s:21:"csrf_4e8ea3e7954d87c2";s:5:"value";s:64:"8df8c3a40d34cebce4b25dff34e7de799e0b20c453f071b39ce6d63153635409";}s:21:"csrf_a777b48d3b0314b4";a:2:{s:4:"name";s:21:"csrf_a777b48d3b0314b4";s:5:"value";s:64:"d11812da9e8fae2064f8d20bb16b5df65b61c77c26add8de5535fe95217cafd3";}s:21:"csrf_676af5d8d708cd07";a:2:{s:4:"name";s:21:"csrf_676af5d8d708cd07";s:5:"value";s:64:"b7f44d78fb437b036538f4f3a66ca23122c4698cfb468538e6ae0f85d9079abd";}s:21:"csrf_aaed2a2e98eb2de5";a:2:{s:4:"name";s:21:"csrf_aaed2a2e98eb2de5";s:5:"value";s:64:"23551071660c95daf61643d353fee2690d69528efcd8af37f8d6e6d592cfa4b3";}s:21:"csrf_137aa228ea657eb9";a:2:{s:4:"name";s:21:"csrf_137aa228ea657eb9";s:5:"value";s:64:"dccdafeed06bef2dfddccc493d23227de51b2cd045059b696169d21b1b08fb14";}s:21:"csrf_eb5cb10507d6da51";a:2:{s:4:"name";s:21:"csrf_eb5cb10507d6da51";s:5:"value";s:64:"1746d609f83fbebb2fe989c00bd82bd6846e24ec6cf2492c7b7077f37c8f4fad";}s:21:"csrf_a0990357e41fd5ed";a:2:{s:4:"name";s:21:"csrf_a0990357e41fd5ed";s:5:"value";s:64:"e5ffaf4318bde7c74c80be6abb120ebb1e6d61b40ff3abdd09cadd95c8b4081d";}s:21:"csrf_4b905c4278c59856";a:2:{s:4:"name";s:21:"csrf_4b905c4278c59856";s:5:"value";s:64:"4d676d8babd4bdd36941916bd4b4ad5036a897ecb0d4f2a9afba9fa810101f76";}s:21:"csrf_3e18049174df6472";a:2:{s:4:"name";s:21:"csrf_3e18049174df6472";s:5:"value";s:64:"9dc754499c87b8605a9210f227fe056042bc0df003e23c0e93835383041b552c";}s:21:"csrf_0df5b6445fe5d41c";a:2:{s:4:"name";s:21:"csrf_0df5b6445fe5d41c";s:5:"value";s:64:"a3e666ea25c88484ad299d65add927a59323f7cd3ba9468838a5bd353ff0c8e5";}s:21:"csrf_97f393c9ae3bc967";a:2:{s:4:"name";s:21:"csrf_97f393c9ae3bc967";s:5:"value";s:64:"2989892928bc53471c66ebb530fab38fefaab0a7ecaea8a90e760f04ca4cadc8";}s:21:"csrf_a9a923e88590182a";a:2:{s:4:"name";s:21:"csrf_a9a923e88590182a";s:5:"value";s:64:"873d585f020710ae8b58e4a968cd079a91d48b252780863b56aef8ff4bb35dca";}s:21:"csrf_5488a56a5077b6d1";a:2:{s:4:"name";s:21:"csrf_5488a56a5077b6d1";s:5:"value";s:64:"a447c08438aaf0bba05a4377f4a1344b7dc40d9678c41649d6b22504d927ebb3";}s:21:"csrf_5eedf0637bbd6010";a:2:{s:4:"name";s:21:"csrf_5eedf0637bbd6010";s:5:"value";s:64:"0b1fd1a081084149f9a93acb84a32363ac025595d7c9e5d2be9e729e9cdd5f13";}s:21:"csrf_589e214e676c7cf2";a:2:{s:4:"name";s:21:"csrf_589e214e676c7cf2";s:5:"value";s:64:"ef31f3d08575402610589735038742ccb59494df30f006a0f6f6c463c88f73ff";}s:21:"csrf_00a92bb03106daae";a:2:{s:4:"name";s:21:"csrf_00a92bb03106daae";s:5:"value";s:64:"a582a3863b5b57a41bd34f62b728f52a5527a4660c6dba724f64ae1429544c2e";}s:21:"csrf_9ba2384ec8a70bd7";a:2:{s:4:"name";s:21:"csrf_9ba2384ec8a70bd7";s:5:"value";s:64:"3169e627df932bc314b9bd1cce02b13fc77b210da9c5a7108b5406613c30cd0a";}s:21:"csrf_52d6d71a00f1b458";a:2:{s:4:"name";s:21:"csrf_52d6d71a00f1b458";s:5:"value";s:64:"5de8226d47be93a73fa0444f0d9cb2be716bd0a7ebe410d3ea56fb168a416d08";}s:21:"csrf_c40b32fe800b74a2";a:2:{s:4:"name";s:21:"csrf_c40b32fe800b74a2";s:5:"value";s:64:"0cba99ec91c775270084fa07630bafa5c455a71ba612dd8c583d59ba7636eb6f";}s:21:"csrf_0c352c8bf9973331";a:2:{s:4:"name";s:21:"csrf_0c352c8bf9973331";s:5:"value";s:64:"5f176216fa268c9895308d1ea4874fb00e2d4decafe22b1cfd36f713d049ad70";}s:21:"csrf_d2bc3e483f79c1eb";a:2:{s:4:"name";s:21:"csrf_d2bc3e483f79c1eb";s:5:"value";s:64:"d2dc6c920c95272005f0cd7a55994968b26731690e011ee41856988502ecd09e";}s:21:"csrf_22569c549acd9f89";a:2:{s:4:"name";s:21:"csrf_22569c549acd9f89";s:5:"value";s:64:"a6e04d245791e8527c4d2f336006b3bef7be65e1a3e3e1bb0ef6370cc2f5af66";}s:21:"csrf_19c6a9794ec134b8";a:2:{s:4:"name";s:21:"csrf_19c6a9794ec134b8";s:5:"value";s:64:"d4b5f925f68ec82065e10aafb632ff698dc9c2bd4994cb5d7186e39c3181bf89";}s:21:"csrf_a449ea90a027cbdb";a:2:{s:4:"name";s:21:"csrf_a449ea90a027cbdb";s:5:"value";s:64:"eb40af0f98fd425ccdfd6aa71f04bbe29fa3dccdca395f6625c4a43207bf2b6d";}s:21:"csrf_b87ccf7ec89dd9a7";a:2:{s:4:"name";s:21:"csrf_b87ccf7ec89dd9a7";s:5:"value";s:64:"b14d7ba16bfbbe7923289a1c93dcf468e7147021cfa0e4038910506744826c41";}s:21:"csrf_04c98cc0bed7ddcc";a:2:{s:4:"name";s:21:"csrf_04c98cc0bed7ddcc";s:5:"value";s:64:"14df21e235d4b091259b78a67c1ff80913eb77953f0e30ce6d328c70f80b8717";}}

As you can see there is a lot of "garbage data" in the file, so I have two questions:

1. All of these tokens are working? Or only the last one?
2. This is why I asked you about using only one value/name per session.

Acording to:

https://security.stackexchange.com/questions/22903/why-refresh-csrf-token-per-form-request

For the reasons already discussed, it is not necessary to generate a new token per request. It brings almost zero security advantage, and it costs you in terms of usability: with only one token valid at once, the user will not be able to navigate the webapp normally. For example if they hit the 'back' button and submit the form with new values, the submission will fail, and likely greet them with some hostile error message. If they try to open a resource in a second tab, they'll find the session randomly breaks in one or both tabs. It is usually not worth maiming your application's usability to satisfy this pointless requirement.

from csrf-guard.

@playinteractive, thank you for your reply.
Do you use the unset function to destroy the $_SESSION['CSRF'] before generating the CSRF token?
I think that array appends the values and they're not deleted before appending the token.

from csrf-guard.

Yes true, I'm using now:

if (isset($_SESSION['CSRF'])) unset($_SESSION['CSRF']);

And works fine! Thanks.

Anyways, maybe you can improve this class adding the possibility to choose using one token per session or request!

Cheers.

from csrf-guard.

Which version are you using. Every token should be removed from the session superglobal when validate method is used. I do more tests tomorrow!

from csrf-guard.

About your first question, all tokens are working! Could you peste here the code snippet when you check the token?

from csrf-guard.

Hi there, here is my code to validate:

Before send form:

if (session_status() == PHP_SESSION_NONE) @session_start();

// With this I only work with one token in the sess file
if (!isset($_GET[DIRECTORY_FORM])) if (isset($_SESSION['CSRF'])) unset($_SESSION['CSRF']);

$csrf = new Linna\CsrfGuard(64, 32);

$token = $csrf->getToken();

After send form:

if (!$csrf->validate($_POST)) echo 'Wrong token';

@s3b4stian Yes, after calling validate method unset works fine but only when you send the form. If you refresh a login page the class is generating new tokens making the sess file too long.

from csrf-guard.