csrf regeneration, and does this break ajax in corner cases? |
[eluser]Chillahan[/eluser]
I remember seeing in this article that the csrf token gets regenerated every time a request is made to the server: http://www.beheist.com/index.php/en/blog...loser-look But observing my csrf cookie, that is not the case. It seems it is, at most, regenerating at the 7200 second/two hour period specified in my config file. However, this could have bad effects on AJAX, right - because if a user is making AJAX requests, the form field input and the cookie are not being updated. Worse, it would just stop working completely after the two hour mark gets hit, and it will appear the app is broken. (not to mention it's not always two hours, the two hours is system-wide, right, so it's possible someone might make an AJAX request 3 seconds before the next code is generated, and then fail on all future AJAX requests?) Am I understanding this correctly? And if I am, it seems the only real answer is to turn off CSRF on ajax requests using a pre-system hook or in the config file itself, right - I assume using a condition of "$input->is_ajax_request()" to turn csrf on or off would suffice? I apologize in advance for asking what seems like it would be already answered, but I just could not find real information on this in my searching.
[eluser]toopay[/eluser]
[quote author="Chillahan" date="1306286215"] But observing my csrf cookie, that is not the case. It seems it is, at most, regenerating at the 7200 second/two hour period specified in my config file. However, this could have bad effects on AJAX, right - because if a user is making AJAX requests, the form field input and the cookie are not being updated. Worse, it would just stop working completely after the two hour mark gets hit, and it will appear the app is broken. (not to mention it's not always two hours, the two hours is system-wide, right, so it's possible someone might make an AJAX request 3 seconds before the next code is generated, and then fail on all future AJAX requests?) Am I understanding this correctly?[/quote] Yes, but did you know the reason behind why CI use rotating system? ;-)
[eluser]Chillahan[/eluser]
I don't believe it does rotate every request, only every time the system reaches the next time interval (as set in config file). If you know different, I am all ears! I am going to do some tests, does the cookie actually get updated even though it's ajax and the page is not refreshed? If so, is this reliable cross-browser? If so, I will implement the JavaScript "read the cookie directly" approach, that should take care of it.
[eluser]Chillahan[/eluser]
Update - ok kids, this is what I found out. a) the expiration value, like token and cookie name values, does not get read from config; b) the CSRF code keeps extending the expiration of your EXISTING cookie. It is not secure because it does not force a new value ever, I believe - just by the fact that you have the cookie set, it trusts it as being a valid value once, and will send that back as the value to use (for hidden form input); c) I used the cookie script mentioned here: http://aymsystems.com/ajax-csrf-protecti...omment-340 I notice that once the cookie expires, a new one will NOT get set. Isn't this against expectations? Requesting normally will set a new cookie if the old one was expired. But requesting anew through ajax does NOT get a new cookie. Is it setting cookies through ajax that's the problem, or something else in CI's csrf internals?
[eluser]LuckyFella73[/eluser]
I wonder if someone found a solution to update the csrf token when using javascript to send the postdata. Otherwise it's nearly useless to use it. Only the first POST is secured otherwise. Would be great if you could share your knowledge =) Best regards |
Welcome Guest, Not a member yet? Register Sign In |