Welcome Guest, Not a member yet? Register   Sign In
Server config causing CSRF triggers
#3

(This post was last modified: 08-22-2017, 06:55 AM by objecttothis.)

(08-22-2017, 06:18 AM)spjonez Wrote:
(08-22-2017, 03:52 AM)objecttothis Wrote: was causing CI CSRF protection to trigger.  IMO this was not a good design decision for CI to use the cookie for the  CSRF token because it prevents server-wide hardening such as the above to keep JavaScript from reading the cookie. While that may not be a problem on CI code, one has to keep in mind that there are likely other apps on the server which do not check for this sort of thing.  It would be better for CI to use a separate header for the CSRF token.

CI has flags for this in config.php. We use CSRF tokens with both cookie_secure and cookie_httponly set to true and have no issues with bad tokens as long as they are only being used once.

In your screenshot, check the response tab. It will show a 403 if that is indeed what's happening. If it is ensure you're only the same token once unless csrf_regenerate is set to false.

Yes, it is a 403, which is what CSRF is supposed to return when triggered if I understand correctly.  Below is the relevant section of my config.php.  Are you saying that I need to set cookie_secure and cookie_httponly to true? We are handling sessions through the database driver, not file system.

PHP Code:
/*
/*
|--------------------------------------------------------------------------
| Cookie Related Variables
|--------------------------------------------------------------------------
|
| 'cookie_prefix'   = Set a cookie name prefix if you need to avoid collisions
| 'cookie_domain'   = Set to .your-domain.com for site-wide cookies
| 'cookie_path'     = Typically will be a forward slash
| 'cookie_secure'   = Cookie will only be set if a secure HTTPS connection exists.
| 'cookie_httponly' = Cookie will only be accessible via HTTP(S) (no javascript)
|
| Note: These settings (with the exception of 'cookie_prefix' and
|       'cookie_httponly') will also affect sessions.
|
*/
$config['cookie_prefix'] = '';
$config['cookie_domain'] = '';
$config['cookie_path'] = '/';
$config['cookie_secure'] = FALSE;
$config['cookie_httponly'] = FALSE;

|--------------------------------------------------------------------------
Cross Site Request Forgery
|--------------------------------------------------------------------------
Enables a CSRF cookie token to be setWhen set to TRUEtoken will be
checked on a submitted form. If you are accepting user datait is strongly
recommended CSRF protection be enabled.
|
'csrf_token_name' The token name
'csrf_cookie_name' The cookie name
'csrf_expire' The number in seconds the token should expire.
'csrf_regenerate' Regenerate token on every submission
'csrf_exclude_uris' = Array of URIs which ignore CSRF checks
*/
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_ospos_v3';
$config['csrf_cookie_name'] = 'csrf_cookie_ospos_v3';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array(); 
Reply


Messages In This Thread
RE: Server config causing CSRF triggers - by objecttothis - 08-22-2017, 06:32 AM
SOLUTION - by objecttothis - 09-07-2017, 04:16 AM



Theme © iAndrew 2016 - Forum software by © MyBB