CodeIgniter Forums
Static CSRF - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: Static CSRF (/showthread.php?tid=69447)

Static CSRF - agimovel - 11-25-2017

Hello there!

I was having some issues with ajax and go forward/back in history and CSRF token.

So someone said to me "well maybe you csrf_regenerate to FALSE, you don't need always a new token".

My question here is: is this secure? It wont allow someone to send a javascript to my client with a loop doing something like this:

www.mywebsite.com/admin/states/delete/?id=1
www.mywebsite.com/admin/states/delete/?id=2
www.mywebsite.com/admin/states/delete/?id=3
www.mywebsite.com/admin/states/delete/?id=4

Another thing, my website won't log you out untill you ask for, so my $config['csrf_expire'] is 77760000;

Anyone can help me with this one?

RE: Static CSRF - PaulD - 11-25-2017

If you have a token that is static for the entire session, then yes, a compromised CSRF token can be used again and again by the attacker.

Quote:My question here is: is this secure?
No, it most certainly is not. A bit more secure than having no CSRF, but not much, and is a poor implementation.

It is unwise to not regenerate the token. But I suppose in less mission critical places like submitting a contact form or other such simple thing, you could do this. But in anything but the most simple application, setting regenerate to FALSE is a bad idea.

Eg: Quick google for this: https://haiderm.com/10-methods-to-bypass-cross-site-request-forgery-csrf/ see exploiting poor implementation.

Best wishes,

Paul

RE: Static CSRF - Narf - 11-27-2017

(11-25-2017, 09:24 AM)PaulD Wrote: But I suppose in less mission critical places like submitting a contact form or other such simple thing, you could do this.

And welcome the spam bots with that. Smile

Unless you put a CAPTCHA in there, which you should ... and it's a form of CSRF protection.

RE: Static CSRF - PaulD - 11-27-2017

Yes, I would not do it now, but have in the past. I really hate those contact form bots. Having said that, I would never turn regenerate off in the first place of course.

If people far more advanced and experienced than me have gone to a lot of trouble to give me security tools, the least I can do is use them!

Paul.

RE: Static CSRF - agimovel - 11-27-2017

Ok, thank you guys!