• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Solved] Any thing better than CSRF

#11
(12-17-2016, 02:30 AM)Diederik Wrote: I remember I ran into such an issue a while ago. Turned out I made some misrake where it ran form / csrf validation twice. So the first check regenerated the csrf key so the secind pass would always return false... Perhaps you could try finding such a case in your code. To trace this case I put some debug echo code in the core form validation/csrf files.

Hello,

I have found this which redirects back to page instead of showing CSRF error is that safe?

Found here https://github.com/benedmunds/CodeIgnite...t-60716698


PHP Code:
<?php

class MY_Security extends CI_Security {

 
   public function __construct()
 
   {
 
       parent::__construct();
 
   }

 
   public function csrf_show_error()
 
   {
 
       // show_error('The action you have requested is not allowed.');  // default code

 
       // force page "refresh" - redirect back to itself with sanitized URI for security
 
       // a page refresh restores the CSRF cookie to allow a subsequent login
 
       header('Location: ' htmlspecialchars($_SERVER['REQUEST_URI']), TRUE200);
 
   }


There's only one rule - please don't tell anyone to go and read the manual.  Sometimes the manual just SUCKS!
Reply

#12
Can you verify that the CSFR cookies are set at all in your browser? If they dont exists it could be that you have enabled secure cookies in your config file and use a unsecured connection. With this setting cookies only get placed if you use a secure connection (https://).

Code:
$config['cookie_secure'] = FALSE;

*edit: I missed you posted your config file.

And please turn on your log to see what is happening. Be default it gives you some details on when CSFR cookies are places and verified. If you need more information to debug your issue properly then extend the class and alter some functions and add more logging statements in the code.

PHP Code:
<?php

class MY_Security extends CI_Security {

 
   public function __construct()
 
   {
 
       parent::__construct();
 
   }

 
   /**
     * CSRF Verify DEBUG
     *
     * @return  CI_Security
     */
 
   public function csrf_verify()
 
   {

 
       log_message('info''CSRF csrf_verify start');

 
       // If it's not a POST request we will set the CSRF cookie
 
       if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST')
 
       {
 
           return $this->csrf_set_cookie();
 
       }

 
       // Check if URI has been whitelisted from CSRF checks
 
       if ($exclude_uris config_item('csrf_exclude_uris'))
 
       {
 
           $uri load_class('URI''core');
 
           foreach ($exclude_uris as $excluded)
 
           {
 
               if (preg_match('#^'.$excluded.'$#i'.(UTF8_ENABLED 'u' ''), $uri->uri_string()))
 
               {

 
                   log_message('info''CSRF url was excluded from CSRF check');
 
                   return $this;
 
               }
 
           }
 
       }

 
       // Do the tokens exist in both the _POST and _COOKIE arrays?
 
       if ( ! isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name])
 
           OR $_POST[$this->_csrf_token_name] !== $_COOKIE[$this->_csrf_cookie_name]) // Do the tokens match?
 
       {
 
           log_message('info''CSRF tokens exist in both the _POST and _COOKIE arrays');
 
           $this->csrf_show_error();
 
       }

 
       // We kill this since we're done and we don't want to polute the _POST array
 
       unset($_POST[$this->_csrf_token_name]);

 
       // Regenerate on every submission?
 
       if (config_item('csrf_regenerate'))
 
       {

 
           // Nothing should last forever
 
           unset($_COOKIE[$this->_csrf_cookie_name]);
 
           $this->_csrf_hash NULL;

 
           log_message('info''CSRF was regenerate (Cookie removed)');

 
       }

 
       log_message('info''CSRF executing _csrf_set_hash');
 
       $this->_csrf_set_hash();

 
       log_message('info''CSRF executing csrf_set_cookie');
 
       $this->csrf_set_cookie();

 
       log_message('info''CSRF token verified');
 
       return $this;
 
   }


Reply

#13
I think I have found solution now.

I don't get CSRF error now when I use form helper functions like example

PHP Code:
<?php echo form_open_multipart('controller/function');>

<?
php echo form_input('username''username');?>

<?php echo form_close();?>

If I have input like below then the CSRF error will show


PHP Code:
<?php echo form_open_multipart('controller/function');>

<
input type="text" name="username" />

<?
php echo form_close();?>

So I think it's best to use all form helper functions

I can now use $config['csrf_regenerate'] = TRUE; with out error showing and Not extending Security


PHP Code:
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'my_post_key';
$config['csrf_cookie_name'] = 'cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array(); 
There's only one rule - please don't tell anyone to go and read the manual.  Sometimes the manual just SUCKS!
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.