Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Possible conditional error in Security Class
  • Hi,
    I might be reading this wrong but...

    Security line 353. Shouldn't this be:
            if ( ! $reset and static::$csrf_old_token and \Config::get('security.csrf_expiration', 0) === 0)

    instead of:
            if ( ! $reset and static::$csrf_old_token and \Config::get('security.csrf_expiration', 0) > 0)

    From config.php:
            /**
             * Expiry of the token in seconds. If zero, the token remains the same
             * for the entire user session.
             */
            'csrf_expiration'       => 0,

    Right now because of the > 0, it is replacing the token if === 0. 

    Once I extended and changed this, it works fine.


  • I wonder if that config description is correct.

    If I check the code, then there is no mechanism anywhere that allows for unchanged tokens for the duration of the session, as check_token() ALWAYS rotates the token after a succesful match.

    I think it means to say "If zero, the token remains valid for the entire session". Which is different from "the same", which from a security point of view is a bad idea.
  • Well, you are right that at least the comment block is incorrect. It's not consistent with the conditional... I actually scratched my head here for a while.  

    Otherwise, I have read that this pattern allows for leaving a single token for the duration of the session. Maybe that's not as secure as constantly rotating the token but at least I don't have to worry about things like multiple tabs running on the same session.

    It would be useful to have that capability. Otherwise, what does it mean for a token to NOT remain valid for an entire session? A token could only be used once in the current scheme.
  • HarroHarro
    Accepted Answer
    The multiple tabs issue, and ajax calls, can be dealt with with the javascript function for which the Security class has the generator methods.

    They will update the form field with the contents of the cookie when you submit the form, making sure it's always up to date. In that case rotation is no longer an issue.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion