Welcome Guest, Not a member yet? Register   Sign In
How to make CSRF tokenRandomize = true work with multiple tabs?
#1

(This post was last modified: 01-25-2023, 04:39 PM by Rinart.)

I have a /client/edit/id page that has a POST form. It works just fine on its own but if I open several tabs for editing all tabs except for the last one will result in "This action is not allowed".
Is there some way to solve this or it's an unfortunate but expected tradeoff for using tokenRandomize = true?
Reply
#2

All tabs should work unless you don't submit one.
If you submit one form, other tab forms will get "The action you requested is not allowed."

The CSRF token will be regenerated when a form is submitted.

tokenRandomize makes tokens looks like random but true CSRF token is not changed.
Reply
#3

(This post was last modified: 01-27-2023, 11:50 AM by Rinart.)

Ok my bad.
"tokenRandomize" doesn't change the actual value of the token, it 'masks' it to prevent BREACH attacks.
"regenerate" generates new token after every non-GET request.

I found out that docs ( https://codeigniter.com/user_guide/libra...generation ) warn about token regeneration:

Quote:Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security, but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc).

So if I understand correctly the solution is to:

  1. Disable token regeneration
  2. Call service('security')->generateHash(); on login and logout to update cookie value
However from what I can see with token regeneration disabled the server only sets the CSRF cookie when the old one expries (in 2 hours by default). Which if I can understand correctly could result in person browsing the website for 1 hour 59 minutes, then opening a page with a POST form, staying on it for 2 minutes (which puts them above 2 hours) and when they'll try to send it, it will fail?
UPD: I checked. It does fail.
The only hassle-free solution that comes to mind is to switch CSRF token storage from cookie to session because from what I can see CodeIgniter keeps session 'alive' by updating session cookie every 5 minutes. So anything tied to the session (CSRF in our case) will be kept too.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB