 CSRF token expired when page is left open |
|
01-17-2024, 09:44 AM
(This post was last modified: 01-17-2024, 09:55 AM by Valkhan. Edit Reason: Found a solution )
I'm facing the same issue with CI 4.4.0, I've turned on an error monitoring and this is bloating my reports with unhandled errors.
Well, I took some time to understand how the framework validates the CSRF token and I was shocked that despite having an "expires" config, if does not check the expiration of the token while validatin the CSRF token: The verify method: /** * CSRF Verify * * @return $this * * @throws SecurityException */ public function verify(RequestInterface $request) { // Protects POST, PUT, DELETE, PATCH $method = strtoupper($request->getMethod()); $methodsToProtect = ['POST', 'PUT', 'DELETE', 'PATCH']; if (! in_array($method, $methodsToProtect, true)) { return $this; } $postedToken = $this->getPostedToken($request); try { $token = ($postedToken !== null && $this->tokenRandomize) ? $this->derandomize($postedToken) : $postedToken; } catch (InvalidArgumentException $e) { $token = null; } // Do the tokens match? if (! isset($token, $this->hash) || ! hash_equals($this->hash, $token)) { throw SecurityException::forDisallowedAction(); } $this->removeTokenInRequest($request); if ($this->regenerate) { $this->generateHash(); } log_message('info', 'CSRF token verified.'); return $this; } As we can see, the postedToken received by the request is checked only if it's equals to the current hash. I tried using regenerate = true and tokenRandomize = true, but to no avail, i've set the expires to 10s and the hash didn't get regenerated after multiple page refresh; I'm not certain if CSRF is fully functional at this point after testing this behavior, now i'm worried. What I was trying to achieve is to instead of throwing an error (exception) I would handle the error by returning a 403 failed response and that would solve the issue of expired tokens bloatin my error monitor. It would be nice to have an entry point to handle errors caught on filters, but I do not have knowledge if that feature exists. After some testing, the only fix I found was to enable csrfProtection = session because when the session expires the hash wil be regenrated, and then my solution worked. |
| Messages In This Thread |
|
CSRF token expired when page is left open - by gabriel_fucci - 01-09-2024, 10:56 AM
RE: CSRF token expired when page is left open - by ozornick - 01-09-2024, 11:40 PM
RE: CSRF token expired when page is left open - by gabriel_fucci - 01-10-2024, 06:41 AM
RE: CSRF token expired when page is left open - by ozornick - 01-10-2024, 12:42 PM
RE: CSRF token expired when page is left open - by Valkhan - 01-17-2024, 09:44 AM
RE: CSRF token expired when page is left open - by kenjis - 01-17-2024, 09:35 PM
RE: CSRF token expired when page is left open - by kenjis - 01-17-2024, 09:32 PM
|
