• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Protection against CSRF attacks. Help!

#1
[eluser]jojo777[/eluser]
Hi everyone,

I'm with some code trying to make more secure forms, but i'm finding some troubles and some questions that I need to understand about CSRF protection to be sure that Im doing it right. So here i go!! Oh...I'm not using the CI tokens...

I'm developing some modules for a web, so when the users are logged in they can access to some forms to edit their profile, change password, send messages...So, any time the logged in user access to any of these sections the code generates a random token that is sent to the view in a hidden input. Then the user fill the form fields and submit it. The controller checks that the hidden is sent and check it against the random value that was created before the form was loaded, everything looks like works fine, but i would like to know if i'm doing it cool.

In adition I would like know how a forum works in that sense, I mean, you can open many tabs and send all forms. In my case the user can only send the last loaded form because the token is replaced any time a form is showed.

So any ideas. I'll apreciate any help about how to improve it and learn more about multiple tabs with token if its possible. Finally should I use tokens at login and logout? Thanks!!

Here is the code I use:

Token test function:

Code:
function token_test(){
        if (!$this->users_model->is_logged_in()){
            redirect('users/login', 'refresh');
        }

        if($this->input->post()){// If the form is submited check the token
            if($this->is_valid_token()){
                $data['nombre'] = $this->input->post('nombre', TRUE);
                $data['comentario'] = $this->input->post('comentario', TRUE);
                $data['view'] = 'members/token_test_success';
                $this->load->view('_includes/template', $data); // load a view that shows a success message with the data.
            }else{
                echo '<p>error de token</p>';// example error mesagge
            }
        }else{
            $request_token = $this->_create_token();

            $token_session = array(
                'request_token' => $request_token
            );
            $this->session->set_userdata($token_session);

            $data['view'] = 'members/token_test';
            $this->load->view('_includes/template', $data);
        }
    }

The create token function
Code:
function _create_token(){

        $token = sha1(uniqid(microtime(), TRUE));

        return $token;
    }

The form view:
Code:
&lt;form method="post" action="token_test_validation"&gt;
&lt;input type="hidden" name="csrf_token" value="&lt;?php echo $this-&gt;session-&gt;userdata('request_token'); ?&gt;"&gt;

<label>Nombre</label>
&lt;input type="text" name="nombre" value="Yeah baby!"&gt;
<label>Comentario</label>
&lt;textarea name="comentario"&gt;This is a test&lt;/textarea&gt;
&lt;input name="input" type="submit" id="submit_singup" class="btn btn-primary" value="Guardar cambios" title="Pulse para guardar" /&gt;
&lt;/form&gt;

Token Check
Code:
function is_valid_token($key = 'csrf_token'){
        return ($this->input->post($key) && ($this->input->post($key) === $this->session->userdata('request_token')));
    }


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.