Protection against CSRF attacks. Help!

Protection against CSRF attacks. Help! - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Protection against CSRF attacks. Help! (/showthread.php?tid=56007)

Protection against CSRF attacks. Help! - El Forum - 11-21-2012

[eluser]jojo777[/eluser]
Hi everyone,

I'm with some code trying to make more secure forms, but i'm finding some troubles and some questions that I need to understand about CSRF protection to be sure that Im doing it right. So here i go!! Oh...I'm not using the CI tokens...

I'm developing some modules for a web, so when the users are logged in they can access to some forms to edit their profile, change password, send messages...So, any time the logged in user access to any of these sections the code generates a random token that is sent to the view in a hidden input. Then the user fill the form fields and submit it. The controller checks that the hidden is sent and check it against the random value that was created before the form was loaded, everything looks like works fine, but i would like to know if i'm doing it cool.

In adition I would like know how a forum works in that sense, I mean, you can open many tabs and send all forms. In my case the user can only send the last loaded form because the token is replaced any time a form is showed.

So any ideas. I'll apreciate any help about how to improve it and learn more about multiple tabs with token if its possible. Finally should I use tokens at login and logout? Thanks!!

Here is the code I use:

Token test function:

Code:
function token_test(){

        if (!$this->users_model->is_logged_in()){

            redirect('users/login', 'refresh');

        }

        if($this->input->post()){// If the form is submited check the token

            if($this->is_valid_token()){

                $data['nombre'] = $this->input->post('nombre', TRUE);

                $data['comentario'] = $this->input->post('comentario', TRUE);

                $data['view'] = 'members/token_test_success';

                $this->load->view('_includes/template', $data); // load a view that shows a success message with the data.

            }else{

                echo '<p>error de token</p>';// example error mesagge

            }

        }else{

            $request_token = $this->_create_token();

            $token_session = array(

                'request_token' => $request_token

            );

            $this->session->set_userdata($token_session);

            $data['view'] = 'members/token_test';

            $this->load->view('_includes/template', $data);

        }

    }

The create token function

Code:
function _create_token(){

        $token = sha1(uniqid(microtime(), TRUE));

        return $token;

    }

The form view:

Code:
&lt;form method="post" action="token_test_validation"&gt;

 &lt;input type="hidden" name="csrf_token" value="&lt;?php echo $this-&gt;session-&gt;userdata('request_token'); ?&gt;"&gt;

 <label>Nombre</label>

 &lt;input type="text" name="nombre" value="Yeah baby!"&gt;

 <label>Comentario</label>

 &lt;textarea name="comentario"&gt;This is a test&lt;/textarea&gt;

 &lt;input name="input" type="submit" id="submit_singup" class="btn btn-primary" value="Guardar cambios" title="Pulse para guardar" /&gt;

&lt;/form&gt;

Token Check

Code:
function is_valid_token($key = 'csrf_token'){

        return ($this->input->post($key) && ($this->input->post($key) === $this->session->userdata('request_token')));

    }