[agimovel]

Hello there!

I was having some issues with ajax and go forward/back in history and CSRF token.

So someone said to me "well maybe you csrf_regenerate to FALSE, you don't need always a new token".

My question here is: is this secure? It wont allow someone to send a javascript to my client with a loop doing something like this:

www.mywebsite.com/admin/states/delete/?id=1
www.mywebsite.com/admin/states/delete/?id=2
www.mywebsite.com/admin/states/delete/?id=3
www.mywebsite.com/admin/states/delete/?id=4

Another thing, my website won't log you out untill you ask for, so my $config['csrf_expire'] is 77760000;

Anyone can help me with this one?

[PaulD]

If you have a token that is static for the entire session, then yes, a compromised CSRF token can be used again and again by the attacker.

My question here is: is this secure?

No, it most certainly is not. A bit more secure than having no CSRF, but not much, and is a poor implementation.

It is unwise to not regenerate the token. But I suppose in less mission critical places like submitting a contact form or other such simple thing, you could do this. But in anything but the most simple application, setting regenerate to FALSE is a bad idea.

Eg: Quick google for this: https://haiderm.com/10-methods-to-bypass...gery-csrf/ see exploiting poor implementation.

Best wishes,

Paul

[Narf]

But I suppose in less mission critical places like submitting a contact form or other such simple thing, you could do this.

And welcome the spam bots with that.

Unless you put a CAPTCHA in there, which you should ... and it's a form of CSRF protection.

[PaulD]

Yes, I would not do it now, but have in the past. I really hate those contact form bots. Having said that, I would never turn regenerate off in the first place of course.

If people far more advanced and experienced than me have gone to a lot of trouble to give me security tools, the least I can do is use them!

Paul.

[agimovel]

Ok, thank you guys!