CodeIgniter Forums

Full Version: CSRF and Browser Cookie Settings
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
I am using codeigniter 3 and I use database settings for cookies and CRSF is active. My site is using SSL as well. I have been having issue where sometimes my forms and AJAX work fine and sometimes I receive "The action you have requested is not allowed." errors.

I noticed that my form/AJAX submissions work fine in some browsers and not others and I finally figured out it is because of my cookie settings.

I accept cookies in Chrome and not in Firefox and my site works as designed in Chrome.

Is there a way to have my browser setting remain at "do not accept cookies" and still use Codeignier with CSRF? Below are my config settings. As I mentioned my code works just fine in browsers where I accept cookies.

Code:
$config['sess_driver']             = 'database';
$config['sess_cookie_name']        = 'ci_session';
$config['sess_expiration']         = 0;
$config['sess_save_path']          = 'ci_sessions';
$config['sess_match_ip']           = FALSE;
$config['sess_time_to_update']     = 300;
$config['sess_regenerate_destroy'] = FALSE;

$config['cookie_prefix']    = '';
$config['cookie_domain']    = '.mysite.com';
$config['cookie_path']      = '/';
$config['cookie_secure']    = FALSE;
$config['cookie_httponly']  = FALSE;

$config['csrf_protection']   = TRUE;
$config['csrf_token_name']   = 'msmm_tn';
$config['csrf_cookie_name']  = 'msmm_cn';
$config['csrf_expire']       = 7200;
$config['csrf_regenerate']   = TRUE;
$config['csrf_exclude_uris'] = array();
CSRF requires cookies. In fact sessions require cookies too.

I suppose you could do it without cookies although that seems very complicated. You would have to pass a session identifier and a csrf token in all your urls, which seems a bit of a nightmare to me.

I would be interested in alternative answers to this too, and is a great question IMHO. If a user has cookies disabled in their browser, then none of my sites would work. I had not considered this before.

Even detecting that is a pain. You would need to attempt to set a cookie, then redirect to another page, and then see if the cookie was set or not for that page, and if not, set an alert of some description.

It might be easier to have a js test to see if cookies are enabled and display a message if not. But then you would have to test to see if JS was enabled or not too.

I have never had any issues related to any of this, so I assume switching off js or cookies is very rare. I would also guess that anyone that did would be used to sites not working properly because of this in general, but I think a more satisfactory answer must be out there.

Best wishes,

Paul
(11-18-2017, 05:34 AM)PaulD Wrote: [ -> ]CSRF requires cookies. In fact sessions require cookies too.

I suppose you could do it without cookies although that seems very complicated. You would have to pass a session identifier and a csrf token in all your urls, which seems a bit of a nightmare to me.

I would be interested in alternative answers to this too, and is a great question IMHO. If a user has cookies disabled in their browser, then none of my sites would work. I had not considered this before.

Even detecting that is a pain. You would need to attempt to set a cookie, then redirect to another page, and then see if the cookie was set or not for that page, and if not, set an alert of some description.

It might be easier to have a js test to see if cookies are enabled and display a message if not. But then you would have to test to see if JS was enabled or not too.

I have never had any issues related to any of this, so I assume switching off js or cookies is very rare. I would also guess that anyone that did would be used to sites not working properly because of this in general, but I think a more satisfactory answer must be out there.

Best wishes,

Paul

I am no web development expert but how do other sites work and still implement CSRF protection? I can log into other sites just fine with my browser set to not accept cookies. If I disable CSRF then could I implement another solution to protect my site from attacks?
I never use CodeIgniter's CSRF protection feature. I ended up making my own and using a rotating array of tokens. It helped solve some problems for me. It is part of Community Auth. See the library here:

https://bitbucket.org/skunkbad/community...ew-default

Checking if request is good as needed:

PHP Code:
if( $this->tokens->match ){
    // ...


Get a token manually:


PHP Code:
$token $this->tokens->token(); 


I extended the form helper too so that my token is injected into the form by form_open. That'd be located here:

https://bitbucket.org/skunkbad/community...ew-default
(11-18-2017, 09:38 AM)skunkbad Wrote: [ -> ]I never use CodeIgniter's CSRF protection feature. I ended up making my own and using a rotating array of tokens. It helped solve some problems for me. It is part of Community Auth. See the library here:

https://bitbucket.org/skunkbad/community...ew-default

Checking if request is good as needed:

PHP Code:
if( $this->tokens->match ){
    // ...


Get a token manually:


PHP Code:
$token $this->tokens->token(); 


I extended the form helper too so that my token is injected into the form by form_open. That'd be located here:

https://bitbucket.org/skunkbad/community...ew-default

Thanks Skunkbad, I actually already use Community Auth on my site for autentication. I see that the Token class is present (Form Tokens Library - V1.0.2). I will give this a try.

So, is there a manual on how to implement and start using this class in place of CSRF?
(11-18-2017, 10:16 AM)reesethebeast Wrote: [ -> ]Thanks Skunkbad, I actually already use Community Auth on my site for autentication. I see that the Token class is present (Form Tokens Library - V1.0.2). I will give this a try.

So, is there a manual on how to implement and start using this class in place of CSRF?

There is no documentation for the tokens library. If you use the form_open function then it adds the token to your form. If you're using AJAX and need a token, just create a hidden form element for the token, then add the value to your POST. On the server side, if you check $this->tokens->match then you know if there was a match, and you can proceed. There's nothing fancy about it. All the work is done by the library.

Since using a token removes it from the array of tokens, if you are using AJAX then you need to pass back a new token, and apply it to the hidden form element. You get a new token with $this->tokens->token();
(11-18-2017, 05:56 AM)reesethebeast Wrote: [ -> ]I am no web development expert but how do other sites work and still implement CSRF protection?

Who says they do?

(11-18-2017, 05:56 AM)reesethebeast Wrote: [ -> ]I can log into other sites just fine with my browser set to not accept cookies.

Not that it's impossible, but almost every website today utilizes cookies and therefore the entire web would be broken to you if you disabled them. I don't believe this.
(11-18-2017, 12:43 PM)skunkbad Wrote: [ -> ]
(11-18-2017, 10:16 AM)reesethebeast Wrote: [ -> ]Thanks Skunkbad, I actually already use Community Auth on my site for autentication. I see that the Token class is present (Form Tokens Library - V1.0.2). I will give this a try.

So, is there a manual on how to implement and start using this class in place of CSRF?

There is no documentation for the tokens library. If you use the form_open function then it adds the token to your form. If you're using AJAX and need a token, just create a hidden form element for the token, then add the value to your POST. On the server side, if you check $this->tokens->match then you know if there was a match, and you can proceed. There's nothing fancy about it. All the work is done by the library.

Since using a token removes it from the array of tokens, if you are using AJAX then you need to pass back a new token, and apply it to the hidden form element. You get a new token with $this->tokens->token();

Thanks Skunkbad. I turned off CSRF and I can see the Community Auth token in my form. I added a check in MY_Controller for the token match and if not matched, I redirect back to the original page. The check is always returning a non match.

Code:
if($this->tokens->match)
{
}

Once this is working I will need to change all of my AJAX code to look for "token" versus the Codeigniter token name from the config file.
Is there a cay to rename the Community auth token so I can use what I defined in the config.php file? This way I can leave this reference as is and just add $this->tokens->token(); to my AJAX code?
1) When you use the form_open function or generate a new token using $this->tokens->token(), the token is automatically added to the tokens cookie. See the "Tokens Cookie Config" section on this page:

https://community-auth.com/documentation...cation-php

By default the name of your POSTed token should be "token", but you can change it to any whatever you want if you find the value in config/authentication.php:

PHP Code:
$config['token_name'] = 'token'

When you POST via a form or ajax, the token needs to be posted right along with the rest of the post data. The tokens library checks to see if the posted token matches one in the cookie. This  is a lot like the way CodeIgniter's CSRF does it, except CodeIgniter only has a single token value. There are other differences between CodeIgniter's CSRF and my tokens library, but for basic usage you will find that they are more or less working the same way.
(11-19-2017, 02:43 PM)skunkbad Wrote: [ -> ]1) When you use the form_open function or generate a new token using $this->tokens->token(), the token is automatically added to the tokens cookie. See the "Tokens Cookie Config" section on this page:

https://community-auth.com/documentation...cation-php

By default the name of your POSTed token should be "token", but you can change it to any whatever you want if you find the value in config/authentication.php:

PHP Code:
$config['token_name'] = 'token'

When you POST via a form or ajax, the token needs to be posted right along with the rest of the post data. The tokens library checks to see if the posted token matches one in the cookie. This  is a lot like the way CodeIgniter's CSRF does it, except CodeIgniter only has a single token value. There are other differences between CodeIgniter's CSRF and my tokens library, but for basic usage you will find that they are more or less working the same way.

Thanks for the reply. I am going to play around with this and see if I can get things working. I changed the token name and I can see it in the hidden form element. When I check my session in the database, I do not see a token value however.
Pages: 1 2