Comments (14)
@s3b4stian, thank you for your reply. I think it's not necessary to separate the token name and value from the $_SESSION['CSRF']
.
If we have to separate this, it's okay to do that 👍.
from csrf-guard.
Hi @playinteractive , thank you for your reply. According to the source code on this repository, the unset
function will reset correctly the $_SESSION['CSRF']
after calling the validate
method.
After calling the validate
method, it will also call the doChecks
and deleteToken
methods.
I think you will generate the new token before calling validation
method.
@s3b4stian, perhaps we can let the deleteToken
public method or develop the resetToken
method to complete this work? I think we should not call the validate
if we only want to reset the CSRF token 👍 .
Also, this feature usage should be added in README.md
.
from csrf-guard.
Ok! Perfect!
To reduce the length of the session file, try to set the class like this:
$csrf = new Linna\CsrfGuard(8, 32);
Todo
- I next release I will add a cleaning mechanism that, when called delete older and surely unused tokens, preserving latest added.
- README.md file need an update for explain in more exaustive way how the token storage works.
from csrf-guard.
@s3b4stian, thank you for your reply. I think it's fine to implement new features for my previous comment.
If having any problems, please let me know and I will help you!
from csrf-guard.
Great, thanks @s3b4stian and @peter279k
Cheers!
from csrf-guard.
@playinteractive, thank you for your reply.
According to the current approach. the token name and value are stored in the $_SESSION['CSRF']
associate array.
I think you want to separate this associate array and they possibly will be the $_SESSION['token_name']
and $_SESSION['token_value']
?
I think it can be possible, but this is the small change or feature. The decision that it's up to the @s3b4stian.
Perhaps it can be the optional method to let developers decide to store them together or separation 👍 .
from csrf-guard.
Thanks for the question!
Yes should be possible but isn't the scope of csrf token.
Token should be used on forms where the user do a dispositive action, a delete a modify or an update. On read action it should not be necessary.
Set up the token only for forms, look on the OWASP website for more information about this time of web attack!
from csrf-guard.
Reflecting on the space occupied, I could save in session, only the hash of the name and token value pair in order to save memory or disk space.
I have to try the change.
However it considers the use of the token only for the forms.
from csrf-guard.
Hi peter279k and s3b4stian,
Thanks for your reply. What I mean is this (extracted from the sess file):
CSRF|a:34:{s:21:"csrf_df0336966fbc4caf";a:2:{s:4:"name";s:21:"csrf_df0336966fbc4caf";s:5:"value";s:64:"9f72afccf70dea1f6ac95dff0a40260ca638fd26d41bde8260154523494cb620";}s:21:"csrf_cae14e4ac83acf1c";a:2:{s:4:"name";s:21:"csrf_cae14e4ac83acf1c";s:5:"value";s:64:"c91af11bfd228d40d60248220ff6dbcf7f2819798d6f49fd73f74be82ff08bc6";}s:21:"csrf_1b791c1958f5d44d";a:2:{s:4:"name";s:21:"csrf_1b791c1958f5d44d";s:5:"value";s:64:"ff9aa8165f6516771081737e2b9208c35ff46e2e137172e9e031988d6b1ace80";}s:21:"csrf_9b1ea1e843d96dd6";a:2:{s:4:"name";s:21:"csrf_9b1ea1e843d96dd6";s:5:"value";s:64:"e713b0f4ca1452e2664b4b42ea19a8eae8a8cb4c74b4ecfe5269624812f35828";}s:21:"csrf_b6ede12d086c70d6";a:2:{s:4:"name";s:21:"csrf_b6ede12d086c70d6";s:5:"value";s:64:"4d62f9822b71e4a78dfba8f25b74fea898c3b90f5518f9898950e883e32db392";}s:21:"csrf_55d1f890e320b1a4";a:2:{s:4:"name";s:21:"csrf_55d1f890e320b1a4";s:5:"value";s:64:"44100f5007ae1a3b6bf6d2647d985e79294a1ce8304da3344523cbaf3d36cfbf";}s:21:"csrf_f48432f4e5742a7f";a:2:{s:4:"name";s:21:"csrf_f48432f4e5742a7f";s:5:"value";s:64:"49bee8c11e2287d0a5165a23186616633e583fe446cb6ffc1626f5d483bf9300";}s:21:"csrf_70f3168f30e2b7ee";a:2:{s:4:"name";s:21:"csrf_70f3168f30e2b7ee";s:5:"value";s:64:"5c26497fc4b550820b4572aa9d63dee485df84e80d5f4c70faddf7bfba0d840e";}s:21:"csrf_4e8ea3e7954d87c2";a:2:{s:4:"name";s:21:"csrf_4e8ea3e7954d87c2";s:5:"value";s:64:"8df8c3a40d34cebce4b25dff34e7de799e0b20c453f071b39ce6d63153635409";}s:21:"csrf_a777b48d3b0314b4";a:2:{s:4:"name";s:21:"csrf_a777b48d3b0314b4";s:5:"value";s:64:"d11812da9e8fae2064f8d20bb16b5df65b61c77c26add8de5535fe95217cafd3";}s:21:"csrf_676af5d8d708cd07";a:2:{s:4:"name";s:21:"csrf_676af5d8d708cd07";s:5:"value";s:64:"b7f44d78fb437b036538f4f3a66ca23122c4698cfb468538e6ae0f85d9079abd";}s:21:"csrf_aaed2a2e98eb2de5";a:2:{s:4:"name";s:21:"csrf_aaed2a2e98eb2de5";s:5:"value";s:64:"23551071660c95daf61643d353fee2690d69528efcd8af37f8d6e6d592cfa4b3";}s:21:"csrf_137aa228ea657eb9";a:2:{s:4:"name";s:21:"csrf_137aa228ea657eb9";s:5:"value";s:64:"dccdafeed06bef2dfddccc493d23227de51b2cd045059b696169d21b1b08fb14";}s:21:"csrf_eb5cb10507d6da51";a:2:{s:4:"name";s:21:"csrf_eb5cb10507d6da51";s:5:"value";s:64:"1746d609f83fbebb2fe989c00bd82bd6846e24ec6cf2492c7b7077f37c8f4fad";}s:21:"csrf_a0990357e41fd5ed";a:2:{s:4:"name";s:21:"csrf_a0990357e41fd5ed";s:5:"value";s:64:"e5ffaf4318bde7c74c80be6abb120ebb1e6d61b40ff3abdd09cadd95c8b4081d";}s:21:"csrf_4b905c4278c59856";a:2:{s:4:"name";s:21:"csrf_4b905c4278c59856";s:5:"value";s:64:"4d676d8babd4bdd36941916bd4b4ad5036a897ecb0d4f2a9afba9fa810101f76";}s:21:"csrf_3e18049174df6472";a:2:{s:4:"name";s:21:"csrf_3e18049174df6472";s:5:"value";s:64:"9dc754499c87b8605a9210f227fe056042bc0df003e23c0e93835383041b552c";}s:21:"csrf_0df5b6445fe5d41c";a:2:{s:4:"name";s:21:"csrf_0df5b6445fe5d41c";s:5:"value";s:64:"a3e666ea25c88484ad299d65add927a59323f7cd3ba9468838a5bd353ff0c8e5";}s:21:"csrf_97f393c9ae3bc967";a:2:{s:4:"name";s:21:"csrf_97f393c9ae3bc967";s:5:"value";s:64:"2989892928bc53471c66ebb530fab38fefaab0a7ecaea8a90e760f04ca4cadc8";}s:21:"csrf_a9a923e88590182a";a:2:{s:4:"name";s:21:"csrf_a9a923e88590182a";s:5:"value";s:64:"873d585f020710ae8b58e4a968cd079a91d48b252780863b56aef8ff4bb35dca";}s:21:"csrf_5488a56a5077b6d1";a:2:{s:4:"name";s:21:"csrf_5488a56a5077b6d1";s:5:"value";s:64:"a447c08438aaf0bba05a4377f4a1344b7dc40d9678c41649d6b22504d927ebb3";}s:21:"csrf_5eedf0637bbd6010";a:2:{s:4:"name";s:21:"csrf_5eedf0637bbd6010";s:5:"value";s:64:"0b1fd1a081084149f9a93acb84a32363ac025595d7c9e5d2be9e729e9cdd5f13";}s:21:"csrf_589e214e676c7cf2";a:2:{s:4:"name";s:21:"csrf_589e214e676c7cf2";s:5:"value";s:64:"ef31f3d08575402610589735038742ccb59494df30f006a0f6f6c463c88f73ff";}s:21:"csrf_00a92bb03106daae";a:2:{s:4:"name";s:21:"csrf_00a92bb03106daae";s:5:"value";s:64:"a582a3863b5b57a41bd34f62b728f52a5527a4660c6dba724f64ae1429544c2e";}s:21:"csrf_9ba2384ec8a70bd7";a:2:{s:4:"name";s:21:"csrf_9ba2384ec8a70bd7";s:5:"value";s:64:"3169e627df932bc314b9bd1cce02b13fc77b210da9c5a7108b5406613c30cd0a";}s:21:"csrf_52d6d71a00f1b458";a:2:{s:4:"name";s:21:"csrf_52d6d71a00f1b458";s:5:"value";s:64:"5de8226d47be93a73fa0444f0d9cb2be716bd0a7ebe410d3ea56fb168a416d08";}s:21:"csrf_c40b32fe800b74a2";a:2:{s:4:"name";s:21:"csrf_c40b32fe800b74a2";s:5:"value";s:64:"0cba99ec91c775270084fa07630bafa5c455a71ba612dd8c583d59ba7636eb6f";}s:21:"csrf_0c352c8bf9973331";a:2:{s:4:"name";s:21:"csrf_0c352c8bf9973331";s:5:"value";s:64:"5f176216fa268c9895308d1ea4874fb00e2d4decafe22b1cfd36f713d049ad70";}s:21:"csrf_d2bc3e483f79c1eb";a:2:{s:4:"name";s:21:"csrf_d2bc3e483f79c1eb";s:5:"value";s:64:"d2dc6c920c95272005f0cd7a55994968b26731690e011ee41856988502ecd09e";}s:21:"csrf_22569c549acd9f89";a:2:{s:4:"name";s:21:"csrf_22569c549acd9f89";s:5:"value";s:64:"a6e04d245791e8527c4d2f336006b3bef7be65e1a3e3e1bb0ef6370cc2f5af66";}s:21:"csrf_19c6a9794ec134b8";a:2:{s:4:"name";s:21:"csrf_19c6a9794ec134b8";s:5:"value";s:64:"d4b5f925f68ec82065e10aafb632ff698dc9c2bd4994cb5d7186e39c3181bf89";}s:21:"csrf_a449ea90a027cbdb";a:2:{s:4:"name";s:21:"csrf_a449ea90a027cbdb";s:5:"value";s:64:"eb40af0f98fd425ccdfd6aa71f04bbe29fa3dccdca395f6625c4a43207bf2b6d";}s:21:"csrf_b87ccf7ec89dd9a7";a:2:{s:4:"name";s:21:"csrf_b87ccf7ec89dd9a7";s:5:"value";s:64:"b14d7ba16bfbbe7923289a1c93dcf468e7147021cfa0e4038910506744826c41";}s:21:"csrf_04c98cc0bed7ddcc";a:2:{s:4:"name";s:21:"csrf_04c98cc0bed7ddcc";s:5:"value";s:64:"14df21e235d4b091259b78a67c1ff80913eb77953f0e30ce6d328c70f80b8717";}}
As you can see there is a lot of "garbage data" in the file, so I have two questions:
- All of these tokens are working? Or only the last one?
- This is why I asked you about using only one value/name per session.
Acording to:
https://security.stackexchange.com/questions/22903/why-refresh-csrf-token-per-form-request
For the reasons already discussed, it is not necessary to generate a new token per request. It brings almost zero security advantage, and it costs you in terms of usability: with only one token valid at once, the user will not be able to navigate the webapp normally. For example if they hit the 'back' button and submit the form with new values, the submission will fail, and likely greet them with some hostile error message. If they try to open a resource in a second tab, they'll find the session randomly breaks in one or both tabs. It is usually not worth maiming your application's usability to satisfy this pointless requirement.
from csrf-guard.
@playinteractive, thank you for your reply.
Do you use the unset
function to destroy the $_SESSION['CSRF']
before generating the CSRF token?
I think that array appends the values and they're not deleted before appending the token.
from csrf-guard.
Yes true, I'm using now:
if (isset($_SESSION['CSRF'])) unset($_SESSION['CSRF']);
And works fine! Thanks.
Anyways, maybe you can improve this class adding the possibility to choose using one token per session or request!
Cheers.
from csrf-guard.
Which version are you using. Every token should be removed from the session superglobal when validate method is used. I do more tests tomorrow!
from csrf-guard.
About your first question, all tokens are working! Could you peste here the code snippet when you check the token?
from csrf-guard.
Hi there, here is my code to validate:
Before send form:
if (session_status() == PHP_SESSION_NONE) @session_start();
// With this I only work with one token in the sess file
if (!isset($_GET[DIRECTORY_FORM])) if (isset($_SESSION['CSRF'])) unset($_SESSION['CSRF']);
$csrf = new Linna\CsrfGuard(64, 32);
$token = $csrf->getToken();
After send form:
if (!$csrf->validate($_POST)) echo 'Wrong token';
@s3b4stian Yes, after calling validate method unset works fine but only when you send the form. If you refresh a login page the class is generating new tokens making the sess file too long.
from csrf-guard.
Related Issues (3)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csrf-guard.