Login

Kel · 07-29-2018, 11:52 PM

Hello, everybody,

I have discovered codeigniter for myself and would like to implement my new project with it. My problem: The CSRF protection sets a cookie as soon as a form is called. However, this could violate the current very strict data protection requirements.

My question: Can I implement CSRF protection without a cookie? For example, by including 2 hidden fields. The first field contains the CSRF key (a), the second field the key in encrypted form (b) with e.g. the time. When the form is sent, the CSRF key (a) is encrypted and checked against the value of field (b).

This could replace the cookie, or am I wrong?

Many greetings
Kel

***jreklund*** · 07-30-2018, 02:48 PM

You are allowed to store security related cookies according to EU law. As long as it can't be tied to a specific person.
http://ec.europa.eu/ipg/basics/legal/coo...dex_en.htm

Just specify it in your Cookie Policy page and you are set. Or if you are paranoid; Make a gigantic popup and do not let the user use your site unless they accept.

PS. I won't use your site ever again if you do that... DS
__________________________________

The method you are describing can be tricked. As you aren't storing the value in $_SESSION (will generate a Cookie too) or in $_COOKIE and they figure out your encryption. They can use it for CSRF attacks.

Kel · 07-31-2018, 11:40 PM

Hi jreklund,

thank you very much for your response. This sounds good. However I prefer to set any cookie only after the user confirmed the cookie hint. Unfortunately, there are lawyers in Germany who earn their money only by issuing warnings. You then have to pay large sums for a warning only. So I don't want to take any chances. I will write my new idea in a new post.

Many greetings
Kel

***jreklund*** · 08-01-2018, 01:49 AM

Ok, I don't know any specific German laws I'm afraid.

If they really are that kind of idiots I would redirect the user from any page having a <form> (that requires a user sign in) if there aren't a $_COOKIE['accepted'] available. If they accept; set cookie and redirect them back.

And have a separate application for public access. As you don't need it on search forms.
Or change the csrf_protection = FALSE on public pages.

Kel · 08-01-2018, 03:02 AM

(08-01-2018, 01:49 AM)jreklund Wrote: If they really are that kind of idiots I would redirect the user from any page having a <form> (that requires a user sign in) if there aren't a $_COOKIE['accepted'] available. If they accept; set cookie and redirect them back.

I had exactly the same idea. But how can I do this check on all pages with forms?
Manually by running a check in the "__construct" of each class that uses a forms?
Or is there a trick how I attach such a check-function to the "form_open" function?

***jreklund*** · 08-01-2018, 03:32 AM

Do you have login? If not, there are no need for CSRF. Then they can just target users to submit a contact form/search function.

So just do the check in login form.