Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
CSRF logic flaw?
  • bperinbperin
    I think there may be a flaw in the logic with checking csrf tokens with ajax and regular requests. For example I have page with two forms, one is a regular form with the csrf token in a hidden field, the other is an ajax form that sends the token via the javascript method fuel_csrf_token() the problem is if I submit the ajax form first, when the form is processed its going to check the token, in doing so the csrf cookie is going to be updated, this means that the csrf token in the static form,if submitted, will not pass the Security::check_token() method. It will fail every time because there has been a new token generated since the form was created. Unless I'm missing something I think that the security class should either have a separate method to check a javascript/ajax token that doesn't generate a new token, or put some sort of override flag in the check_token() method that doesn't gerenate a new token. There are definitely other work arounds like comparing the tokens directly or updating static form elements after an ajax request but I think there should be a change in the security class. Thoughts?
  • #Phil F#Phil F
    I did a similar thing but then logic took over and I moved one of the forms to a new page instead of trying to mix or hack the form csrf logic. I now only try to use one / one page scenario to ensure nothing fails. Not very helpful I know but it was the only real workable solution I found without loads of hacks.
  • HarroHarro
    Currently, the CSRF code only supports a single form at the time (a shortcoming other frameworks have as well), you'll have the same issue if you have multiple forms on a page, or multple pages open to the same site. I ran into this issue as well, but haven't had time to look into it. Could you add this as an issue at http://github.com/fuel/core/issues?
  • bperinbperin
    Harro Verton wrote on Thursday 14th of July 2011:
    Currently, the CSRF code only supports a single form at the time (a shortcoming other frameworks have as well), you'll have the same issue if you have multiple forms on a page, or multple pages open to the same site. I ran into this issue as well, but haven't had time to look into it. Could you add this as an issue at http://github.com/fuel/core/issues?

    I'll create an issue but this code should work. If the check is done via ajax don't update the token in /core/classes/security
    public static function check_token($value = null)
 {
  $value = $value ?: \Input::post(static::$csrf_token_key, 'fail');

  // always reset token once it's been checked and still the same
  if (static::fetch_token() == static::$csrf_old_token and ! empty($value) and !Input::is_ajax())
  {
   static::set_token(true);
  }

  return $value === static::$csrf_old_token;
 }
  • horatiohoratio
    I just found this problem as well. I have problems when the user opens forms in multiple tabs. Is there a good reason why the token needs to be reset every time? Is there any problem if the user has the same token for their entire session?
  • HarroHarro
    I don't think this is addressed yet. It was on the roadmap for 1.1, but I can't find an issue relating to it. So can you please create one on https://github.com/fuel/core/issues so it can be picked up?
  • horatiohoratio
    Harro Verton wrote on Thursday 17th of May 2012:
    I don't think this is addressed yet. It was on the roadmap for 1.1, but I can't find an issue relating to it. So can you please create one on https://github.com/fuel/core/issues so it can be picked up?

    Done - https://github.com/fuel/core/issues/961 What do you think is the best way to solve this problem? Do you see any issues with using the same token for the user's entire session?
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion