How to make CSRF tokenRandomize = true work with multiple tabs? |
I have a /client/edit/id page that has a POST form. It works just fine on its own but if I open several tabs for editing all tabs except for the last one will result in "This action is not allowed".
Is there some way to solve this or it's an unfortunate but expected tradeoff for using tokenRandomize = true?
All tabs should work unless you don't submit one.
If you submit one form, other tab forms will get "The action you requested is not allowed." The CSRF token will be regenerated when a form is submitted. tokenRandomize makes tokens looks like random but true CSRF token is not changed.
Ok my bad.
"tokenRandomize" doesn't change the actual value of the token, it 'masks' it to prevent BREACH attacks. "regenerate" generates new token after every non-GET request. I found out that docs ( https://codeigniter.com/user_guide/libra...generation ) warn about token regeneration: Quote:Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security, but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). So if I understand correctly the solution is to:
UPD: I checked. It does fail. The only hassle-free solution that comes to mind is to switch CSRF token storage from cookie to session because from what I can see CodeIgniter keeps session 'alive' by updating session cookie every 5 minutes. So anything tied to the session (CSRF in our case) will be kept too. |
Welcome Guest, Not a member yet? Register Sign In |