Static CSRF |
Hello there!
I was having some issues with ajax and go forward/back in history and CSRF token. So someone said to me "well maybe you csrf_regenerate to FALSE, you don't need always a new token". My question here is: is this secure? It wont allow someone to send a javascript to my client with a loop doing something like this: www.mywebsite.com/admin/states/delete/?id=1 www.mywebsite.com/admin/states/delete/?id=2 www.mywebsite.com/admin/states/delete/?id=3 www.mywebsite.com/admin/states/delete/?id=4 Another thing, my website won't log you out untill you ask for, so my $config['csrf_expire'] is 77760000; Anyone can help me with this one?
If you have a token that is static for the entire session, then yes, a compromised CSRF token can be used again and again by the attacker.
Quote:My question here is: is this secure?No, it most certainly is not. A bit more secure than having no CSRF, but not much, and is a poor implementation. It is unwise to not regenerate the token. But I suppose in less mission critical places like submitting a contact form or other such simple thing, you could do this. But in anything but the most simple application, setting regenerate to FALSE is a bad idea. Eg: Quick google for this: https://haiderm.com/10-methods-to-bypass...gery-csrf/ see exploiting poor implementation. Best wishes, Paul
Yes, I would not do it now, but have in the past. I really hate those contact form bots. Having said that, I would never turn regenerate off in the first place of course.
If people far more advanced and experienced than me have gone to a lot of trouble to give me security tools, the least I can do is use them! Paul. |
Welcome Guest, Not a member yet? Register Sign In |