Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion csrf protection for direct URL?
csrf protection for direct URL?
  • El Forum
    Guest
  •  
#1
07-12-2011, 12:01 PM

[eluser]cyberjunkie[/eluser]
I know that csrf protection can be enabled for submitting data via forms but what about direct URL?

For instance, I'm allowing user-to-user subscriptions on my site. A controller named subscribe handles that. When subscribing, I add 2 URL segments to the controller class.

e.g.
Quote:http://www.mysite.com/subscribe/add_user/234

In my controller subscribe, the function add_user($user_id) captures the 3rd URL segment that is the user id I am subscribing to and add that to my database table.

The issue is that I can go to the URL from anywhere and subscribe, unlike using a form.

I know that I can use a form but for simplicity I want just a url. What methods can I implement with CI for security when inserting data in the database from a URL segement?
  • El Forum
    Guest
  •  
#2
07-12-2011, 08:18 PM

[eluser]Eric Barnes[/eluser]
The best advice is never insert, edit, or delete from a get request because as you know it can be loaded with no validation. Other than that I say you use a form to subscribe them or do a whole bunch of security checks on the id passed.
  • El Forum
    Guest
  •  
#3
07-13-2011, 09:14 AM

[eluser]cyberjunkie[/eluser]
Thanks Eric. I guess I would have to add a hidden input with the value. Would adding a URL segment in the form action URL be ok rather than direct link? Considering that it's csrf protected.
  • El Forum
    Guest
  •  
#4
07-14-2011, 07:25 AM

[eluser]fesweb[/eluser]
To keep people from accessing other urls just by changing the ID, I add an hashed segment on the end of links.
Code:
http://www.mysite.com/subscribe/add_user/234
would become
http://www.mysite.com/subscribe/add_user/234/GYQFqfyUfgrgtypsPOIwfgQIu
or whatever
The actual hash is bound to the id, the action, the user and the server.
Code:
function hashomatic($str)
{

    // I AM NOT A SECURITY EXPERT....
    // THIS IS JUST TO GIVE YOU THE BASIC IDEA
    
    // tie to the server/application
    $str = $str.$this->config->item('encryption_key');
    // tie to the user
    $str = $str.$this->session->userdata('user_id');    
    // use some obfuscation here if you like
    $my_hash = md5_etc_or_whatever_you_like($str);
    $my_hash = whatever_other_obfuscation_you_like();

    return $my_hash;
}
// tie to the action and id
hashomatic('subscribeuser234');
Then when processing the url, just compare the hash to a re-hash of 'subscribeuser234'.
  • El Forum
    Guest
  •  
#5
07-14-2011, 11:01 PM

[eluser]cyberjunkie[/eluser]
Thanks for sharing that Fesweb! CI should definitely have a similar function.




Theme © iAndrew 2016 - Forum software by © MyBB