Welcome Guest, Not a member yet? Register   Sign In
CSRF and double posting
#12

(This post was last modified: 06-20-2016, 12:54 PM by spjonez.)

Narf Wrote:This is BAD advice, don't listen to it.

The fact that you think token regeneration is related to the described problem, shows that you don't understand how CSRF protection works. Thus, you shouldn't randomly tell people to turn security features Off.

I only read the title and the first post, which describe the issue as submitting a form twice, which this setting will break if the first request reaches the server. It also creates problems with single page apps unless you pass the token back and forth as it changes between requests. You can forget about concurrent AJAX requests with this enabled. So yes, I do understand how it works, what it's trying to protect against, and why regeneratting it isn't necessary.

Put this at the top of your .htaccess to prevent your site from being loaded into an iframe and have your login page generate the CSRF token.

Code:
Header always append X-Frame-Options SAMEORIGIN

Here's a few pages of reasons why this option does not improve security: http://security.stackexchange.com/questi...rm-request

We've paid to have our app penetration tested and they found no fault with this design.
Reply


Messages In This Thread
CSRF and double posting - by PaulD - 06-18-2016, 11:03 PM
RE: CSRF and double posting - by skunkbad - 06-19-2016, 12:05 AM
RE: CSRF and double posting - by John_Betong - 06-20-2016, 09:25 PM
RE: CSRF and double posting - by skunkbad - 06-20-2016, 10:55 PM
RE: CSRF and double posting - by PaulD - 06-19-2016, 12:43 AM
RE: CSRF and double posting - by PaulD - 06-19-2016, 01:00 AM
RE: CSRF and double posting - by PaulD - 06-19-2016, 03:19 AM
RE: CSRF and double posting - by skunkbad - 06-19-2016, 09:30 AM
RE: CSRF and double posting - by PaulD - 06-19-2016, 03:06 PM
RE: CSRF and double posting - by skunkbad - 06-19-2016, 03:35 PM
RE: CSRF and double posting - by PaulD - 06-19-2016, 05:59 PM
RE: CSRF and double posting - by spjonez - 06-20-2016, 11:18 AM
RE: CSRF and double posting - by Narf - 06-20-2016, 12:26 PM
RE: CSRF and double posting - by spjonez - 06-20-2016, 12:37 PM
RE: CSRF and double posting - by Narf - 06-20-2016, 01:49 PM
RE: CSRF and double posting - by spjonez - 06-20-2016, 02:32 PM
RE: CSRF and double posting - by PaulD - 06-20-2016, 01:46 PM
RE: CSRF and double posting - by PaulD - 06-20-2016, 04:02 PM
RE: CSRF and double posting - by spjonez - 06-20-2016, 07:00 PM
RE: CSRF and double posting - by Narf - 06-21-2016, 03:38 AM
RE: CSRF and double posting - by spjonez - 06-21-2016, 08:54 AM
RE: CSRF and double posting - by Narf - 06-22-2016, 05:14 AM
RE: CSRF and double posting - by Martin7483 - 06-23-2016, 03:35 AM



Theme © iAndrew 2016 - Forum software by © MyBB