![]() |
Static CSRF - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5) +--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24) +--- Thread: Static CSRF (/showthread.php?tid=69447) |
Static CSRF - agimovel - 11-25-2017 Hello there! I was having some issues with ajax and go forward/back in history and CSRF token. So someone said to me "well maybe you csrf_regenerate to FALSE, you don't need always a new token". My question here is: is this secure? It wont allow someone to send a javascript to my client with a loop doing something like this: www.mywebsite.com/admin/states/delete/?id=1 www.mywebsite.com/admin/states/delete/?id=2 www.mywebsite.com/admin/states/delete/?id=3 www.mywebsite.com/admin/states/delete/?id=4 Another thing, my website won't log you out untill you ask for, so my $config['csrf_expire'] is 77760000; Anyone can help me with this one? RE: Static CSRF - PaulD - 11-25-2017 If you have a token that is static for the entire session, then yes, a compromised CSRF token can be used again and again by the attacker. Quote:My question here is: is this secure?No, it most certainly is not. A bit more secure than having no CSRF, but not much, and is a poor implementation. It is unwise to not regenerate the token. But I suppose in less mission critical places like submitting a contact form or other such simple thing, you could do this. But in anything but the most simple application, setting regenerate to FALSE is a bad idea. Eg: Quick google for this: https://haiderm.com/10-methods-to-bypass-cross-site-request-forgery-csrf/ see exploiting poor implementation. Best wishes, Paul RE: Static CSRF - Narf - 11-27-2017 (11-25-2017, 09:24 AM)PaulD Wrote: But I suppose in less mission critical places like submitting a contact form or other such simple thing, you could do this. And welcome the spam bots with that. ![]() Unless you put a CAPTCHA in there, which you should ... and it's a form of CSRF protection. RE: Static CSRF - PaulD - 11-27-2017 Yes, I would not do it now, but have in the past. I really hate those contact form bots. Having said that, I would never turn regenerate off in the first place of course. If people far more advanced and experienced than me have gone to a lot of trouble to give me security tools, the least I can do is use them! Paul. RE: Static CSRF - agimovel - 11-27-2017 Ok, thank you guys! |