Server config causing CSRF triggers |
Quote:- I've hardened my FAMP stack and one or more of those customizations triggers CSRF in CI 3.1.2. Put die statements in the core/Security class and log it step by step. You aren't triggering CSRF you're breaking it. I'd guess it's related to cookies because CSRF is pretty simple in how it works.
OK, here is an example of a place where CSRF returns a 403 (when CSRF is disabled I get 200). I can't figure out what in the code is causing CSRF to not like it.
view form.php PHP Code: <?php echo form_open($controller_name . '/save/' . $person_info->person_id, array('id'=>'customer_form', 'class'=>'form-horizontal')); ?> controller Customers.php PHP Code: /* model Customer.php PHP Code: /* config.php PHP Code: $config['global_xss_filtering'] = FALSE;
If I add 'customers/ajax_check_email' to csrf_exclude_uris or set csrf_protection to FALSE it gives me a 200 response code
OK, we are getting closer. Due to the fact that my application doesn't exhibit the same 403 errors on another server that tells me that it's likely a server configuration that is not compatible with CodeIgniter's CSRF implementation. So, I replaced my httpd.conf and php.ini with default production versions and with just the bare minimum server configuration. I found that I was no longer getting the 403 errors. Then I put my php.ini file back to the way it was and immediately the 403 errors came back. This means that minimally there is a problem with the php.ini configuration. I am going to one-at-a-time reimplement and test each directive to see what's causing it and will report back, since it's likely to be useful for anyone else with the same configuration.
OK, I finally found the source of the incompatibility with CodeIgniter's CSRF. In php.ini if
Code: suhosin.cookie.encrypt = On Unsafe Comment out Code: suhosin.cookie.encrypt = On Safe Create the line Code: suhosin.cookie.plainlist = [insert csrf cookie name from config.php]
Is cookie_httponly set to false? If security is your primary concern this should be set to true which will break the code you posted. Instead of reading the cookie from JS, return the new token with every AJAX call and store it in a variable for subsequent requests.
csrf_regenerate set to true will also cause 403 issues if you make concurrent AJAX calls.
(09-07-2017, 06:33 AM)spjonez Wrote: Is cookie_httponly set to false? If security is your primary concern this should be set to true which will break the code you posted. Instead of reading the cookie from JS, return the new token with every AJAX call and store it in a variable for subsequent requests. cookie_httponly is currently set to false. We will later rework the code to allow httponly to be enabled. csrf_regenerate is set to true and so far the AJAX calls haven't been doing things like giving a 200 on the first and 403 on subsequent. Like I said in my last post, this is clearly being caused by an incompatibility between suhosin.cookie.encrypt and CI's CSRF implementation. That's not to say that your suggestions can't be the cause of problems, but in my case it's suhosin. (09-07-2017, 06:47 AM)objecttothis Wrote: csrf_regenerate is set to true and so far the AJAX calls haven't been doing things like giving a 200 on the first and 403 on subsequent. As long as only one ever fires and completes at a given time it will work. If you fire one then fire another before the first completes the second you sent will 403. Just thought I'd give you a heads up in case it happens!
(09-07-2017, 11:26 AM)spjonez Wrote:(09-07-2017, 06:47 AM)objecttothis Wrote: csrf_regenerate is set to true and so far the AJAX calls haven't been doing things like giving a 200 on the first and 403 on subsequent. Thanks. I'll keep an eye out for that. |
Welcome Guest, Not a member yet? Register Sign In |