CSRF security

Question

CSRF security

GunslerRage Sep '18

Created Sep '18	Last Reply Oct '18	Replies 5	Views 641	Votes 0

GunslerRage 40.6k

Sep '18

Hello.

I am working on an ajax based site, that uses the CSRF in every form.

the problem is, that whenever a user opens a new tab, with a form, and goes back to the other tab again, the token has updated and the user will be getting the message "This token is not valid" if he/she submits the form.

How can i prevent this? Do I need one token for the entire session and not genereate new for every page with form?

Amal · Answer 1 · 2018-09-23T04:40:26-07:00

I am not an expert on CSRF but I have used one token per form. I don't generate tokens for each tab of a form - all the tabs of a form get submitted once only. I have used the approach mentioned here to make it generic - Is beforeExecuteRoute a good place to put CSRF checking?.

Guillaume Allegret · Answer 2 · 2018-09-24T07:23:08-07:00

See Phalcon\Security::checkToken

The last params allow to not destroy the token a each check.

Try :

$security->checkToken(
    'your-token-key', 
    $request->getHeader('X_CSRF_TOKEN'), 
    false // do not destroy the token
);

With this, the token will remain the same, as long as the session will be valid.

Dylan Anderson · Answer 3 · 2018-10-02T07:41:32-07:00

I wrote my own CSRF component that generates the token once per session. The token is generated the first time the component is instantiated.

As for checking CSRF, I have that in beforeDispatch rather than beforeExecuteRoute. The rationale for that, is beforeDispatch is executed earlier, so less work is done on behalf of invalid requests.

Amal · Answer 4 · 2018-10-05T19:59:57-07:00

Amal
16.3k

Oct '18

Can you possibly share some code @quasipickle - component & beforeDispatch. TIA.

Dylan Anderson · Answer 5 · 2018-10-10T08:11:12-07:00

Component:

<?PHP
namespace Component;

/**
 * This component handles all Cross-Site Request Forgery (CSRF) operations
 * 
 * This class behaves very similar to the built-in-Phalcon Security component.
 * The difference is that this component only generates the token & key once per session,
 * thereby allowing it to be invoked multiple times in a single page, and be used on multiple,
 * concurrent pages.
 * 
 */
class CSRF extends \Phalcon\Mvc\User\Component{

    /**
     * Make sure any POST requests contain a valid CSRF key & token
     * 
     * This method called by the Dispatcher's Event manager because this component 
     * was added as a dispatch listener in bootstrap.php.
     *
     * Forwards (not redirect) to index/csrf if the token wasn't set.
     * 
     * @param  $Event The Event causing the method to be triggered
     * @param  $Dispatcher The Event Dispatcher
     */
    public function beforeDispatch(\Phalcon\Events\Event $Event,\Phalcon\Mvc\Dispatcher $Dispatcher){
        # Handle CSRF check
        if($Dispatcher->getControllerName() != 'index' && $Dispatcher->getActionName() != 'csrf'){
            if($this->request->isPost()){
                if(!$this->checkToken()){
                    if($this->request->isAjax()){
                        echo 'The submitted information did not include a CSRF token, which is required to ensure you actually meant to submit the form.';
                        exit();
                    }
                    else{
                        $Dispatcher->forward(['controller'=>'index','action'=>'csrf']);
                    }
                }
            }
        }
    }

    /**
     * Get the CSRF token key
     * 
     * Generates the key & token if key wasn't already set
     * 
     * @see  self::generateToken()
     * 
     * @return string The token key
     */
    public function getTokenKey(): string {
        if(!$this->session->get('csrf_token_key'))
            $this->generateToken();

        return $this->session->get('csrf_token_key');
    }

    /**
     * Get the CSRF token
     * 
     * Generates the key & token if token wasn't already set
     * 
     * @see  self::generateToken()
     * 
     * @return string The token
     */
    public function getToken(): string {
        if(!$this->session->get('csrf_token'))
            $this->generateToken();

        return $this->session->get('csrf_token');
    }

    /**
     * Checks $_POST to ensure the proper token key & token were POSTed
     * 
     * @return boolean whether or not the appropriate values were found it $_POST
     */
    public function checkToken(): bool{
        $stored_key   = $this->getTokenKey();
        $stored_token = $this->getToken();
        $passed_token = $this->request->getPost($stored_key);

        if($stored_token == $passed_token)
            return TRUE;
        else
            return FALSE;
    }

    /**
     * Generates the token & key and stores them in session
     */
    private function generateToken(){
        $this->session->set('csrf_token_key',$this->security->getTokenKey());
        $this->session->set('csrf_token',$this->security->getToken());
    }
}

Then, in my bootstrap.php file, I add the component as an event listener:

$DI->set('dispatcher',function(){
        // Create an events manager that checks authentication,
        // and propagates user information before dispatching
        $EM = new \Phalcon\Events\Manager();

        // Check any POSTed form had CSRF properly set
        $EM->attach('dispatch:beforeDispatch',new \Component\CSRF());

        $Dispatcher = new \Phalcon\Mvc\Dispatcher();
        $Dispatcher->setEventsManager($EM);

        return $Dispatcher;
    });