| CSRF and double posting |
|
06-19-2016, 03:06 PM
(This post was last modified: 06-19-2016, 03:29 PM by PaulD. Edit Reason: Added PS )
Hmm. Not sure. I think I am confusing myself.
I don't think it is a race condition. Unsetting the global $_COOKIE is a server function and immediate. The Hash is reset and then the new info is sent back to the existing browsers cookie in the header info on next page load. Where I get confused though is that two posts were accepted. I think it is because of the session being correct. So did the cookie hash and form hash match, yes they did. Was my session valid, yes it was. Hence everything proceeded to add twice. I think, and I really don't know what I am talking about really, it is caused because my session is not regenerated. So Session ok, cookie matches form, so do the second post. So it is not a race condition, but I think you are also right. That if the session hash is encoded in a cookie, and is sent and checked for authorization (post authentication), why set the cookie for csrf at all? Surely it would be much better off in the session table as you said. Does the posted CSRF hash match the stored session CSRF hash would be the only question? If so change the session CSRF hash and make it available for the next hidden input field. The second post coming in would then fail. So why is there a CSRF cookie at all? As I said I am getting confused, because now the entire CSRF cookie thing seems wrong, if not entirely pointless if I can double post. As I already said, I really don't know, but I have had an interesting read around it at least. Thanks for the input, at least I have a better idea of the problem now. Paul PS It might be cookie based because of Ajax requests, but they get buggered up and confused by regenerated csrf hash's anyway. There is an interesting attempt at answering this here http://stackoverflow.com/questions/20504...in-cookies but although easy to follow it is still not entirely clear to me why a csrf token is needed as well. As far as I can tell a successful ajax csrf protected response should include the next csrf token to be used, allowing for stringed requests. But I think I have to read more about this. |
| Messages In This Thread |
|
CSRF and double posting - by PaulD - 06-18-2016, 11:03 PM
RE: CSRF and double posting - by skunkbad - 06-19-2016, 12:05 AM
RE: CSRF and double posting - by John_Betong - 06-20-2016, 09:25 PM
RE: CSRF and double posting - by skunkbad - 06-20-2016, 10:55 PM
RE: CSRF and double posting - by PaulD - 06-19-2016, 12:43 AM
RE: CSRF and double posting - by PaulD - 06-19-2016, 01:00 AM
RE: CSRF and double posting - by PaulD - 06-19-2016, 03:19 AM
RE: CSRF and double posting - by skunkbad - 06-19-2016, 09:30 AM
RE: CSRF and double posting - by PaulD - 06-19-2016, 03:06 PM
RE: CSRF and double posting - by skunkbad - 06-19-2016, 03:35 PM
RE: CSRF and double posting - by PaulD - 06-19-2016, 05:59 PM
RE: CSRF and double posting - by spjonez - 06-20-2016, 11:18 AM
RE: CSRF and double posting - by Narf - 06-20-2016, 12:26 PM
RE: CSRF and double posting - by spjonez - 06-20-2016, 12:37 PM
RE: CSRF and double posting - by Narf - 06-20-2016, 01:49 PM
RE: CSRF and double posting - by spjonez - 06-20-2016, 02:32 PM
RE: CSRF and double posting - by PaulD - 06-20-2016, 01:46 PM
RE: CSRF and double posting - by PaulD - 06-20-2016, 04:02 PM
RE: CSRF and double posting - by spjonez - 06-20-2016, 07:00 PM
RE: CSRF and double posting - by Narf - 06-21-2016, 03:38 AM
RE: CSRF and double posting - by spjonez - 06-21-2016, 08:54 AM
RE: CSRF and double posting - by Narf - 06-22-2016, 05:14 AM
RE: CSRF and double posting - by Martin7483 - 06-23-2016, 03:35 AM
|
