CSRF doesnt work

Question

CSRF doesnt work

Izo Oct '15

Created Oct '15	Last Reply Oct '15	Replies 4	Views 548	Votes 0

Izo 85.5k

Oct '15

In my view I have

<input type="hidden" name="<?php echo $this->security->getTokenKey() ?>" value="<?php echo $this->security->getToken() ?>"/>

in my controller I have

echo "<pre>";
        print_r(var_dump($this->security->checkToken()));
        echo "</pre>";
        exit;

which returns false.

Now i added this in my apache config

RedirectMatch 204 /robots.txt
RedirectMatch 204 /favicon.ico

and in my debugger, for favicon it says 204.

if inside the view i print my session I get

Array
(
    [$PHALCON/CSRF$] => MDmkpUWC6qN5KAtt
    [$PHALCON/CSRF/KEY$] => Aw821s5pNwq6IPsG
)

and if I inspect the hidden element, those are the name and the value of the input. However once I click "submit" , inside the controller if I print the Session again, I get complatyly different values

Multi module app

in my application.php file I have

use \Phalcon\Session\Adapter\Files as SessionAdapter;
$this->di->set('session', function () {

            $session = new SessionAdapter();
            $session->start();

            return $session;

        }, true);

Phalcon 2.1.x

Izo · Answer 1 · 2015-10-08T00:35:39-07:00

aditional test:

even if I do


$this->security->getTokenKey();
        $this->security->getToken();

        echo "<pre>";
        print_r(var_dump($this->security->checkToken()));
        echo "</pre>";
        exit;

still doesnt work

Al · Answer 2 · 2015-10-08T02:32:57-07:00

It sounds like you are regenerating the token somewhere else, outside your form. Any time you call getTokenKey() or getToken() it will regenerate. checkToken() will return either true or false. In your last example the session hasn't been updated before you check it. I think the tokens are saved in flash session, so they are a one hit wonder, so need to be passed direct to the controller via post, with out any interruption. So it seems you are either duplicating the token somewhere, or you are not posting direct to the method containing the check.

Izo · Answer 3 · 2015-10-08T03:44:48-07:00

I actually open an issue on github https://github.com/phalcon/cphalcon/issues/11009 , because this code works in master branch

temuri416 · Answer 4 · 2015-10-08T06:17:09-07:00

temuri416
51.3k

Oct '15

Have you tried this?

https://forum.phalcon.io/discussion/8093/csrf-problems-on-206

Izo · Answer 5 · 2015-10-08T06:58:39-07:00

I saw your post while I was searching for solution. But i am not keen on the idea. The token should be destroyed after every try ( at least in my opinion ).

Otherwise I think it sohuld work. But it seems like there are some problems with 2.1's tokens.

Wojciech Ślawski · Answer 6 · 2015-10-09T10:24:30-07:00

To be honest - just implement your own csrf protection, its not so hard, i have my own cuz didnt checked this built in and i have no problems :P

Al · Answer 7 · 2015-10-09T20:08:09-07:00

But why make your own when it's built in to Phalcon? It's quite easy to make your own function if you want, but if it's built in, it should work and be usable :) I didn't realize at first that OP was using beta version, so it would seem they may have found a bug, rather than looking for some way of implimenting it.

To be honest - just implement your own csrf protection, its not so hard, i have my own cuz didnt checked this built in and i have no problems :P