Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
CSRF token problem report
  • I use 1.9/develop.

    I think there is a csrf_token problem on current commit.
    commit 1318a2e32f9d8bf7b2a3cb9f4f974421a42dcda7

    Config setting about "security":
         'csrf_autoload'            => true,                                                                                                           
         'csrf_autoload_methods'    => array('post', 'put', 'delete'),                                                                 
         'csrf_bad_request_on_fail' => false,                                                                                                  
         'csrf_auto_token'          => true,                                                                                                         
         'csrf_token_key'           => 'csrf_token',                                                                                              
         'csrf_expiration'          => 0,

    In this situation, csrf token do not change at all if you post data.
    Always same token appears.

    For now I am using following commit.
    commit 9c78e21920ed0eff820422aaf5c84c8795a21b08

    It works with same config setting.
  • The configuration has changed.

    In 1.8, the csrf_expiration value was "misused" to determine whether or not a token must be rotated. A value of 0, like in your config, caused immediate expiration of the token, and triggered a rotation.

    In 1.9/dev, this misuse is corrected. There is a new config key "csrf_rotate" which is set to true by default, causing a rorate after every request. If it is set to false, it only rotates after expiration.

    An expiration of 0 now means "do not expire until end of session", the normal behaviour of 0 in an expiration value.

    I do however think there is in issue with the code. Can you change line 360 in fuel/core/security.php to 

    if ($rotate === false or static::$csrf_old_token !== false)

    and check if this solves your problem?
  • OK I understand that the configuration has changed.
    And I found such a comment at "fuel/core/config/config.php".

    I'd like to reject users to use browser-history-back-button and submit twice.
    So I want to rotate csrf_token anytime after single use.

    I tried change a line in fuel/core/security.php.

    //if ($rotate or static::$csrf_old_token !== false) //original code
    if ($rotate === false or static::$csrf_old_token !== false) //fixed code

    And fixed configuration following.

    'csrf_autoload'            => true,
    'csrf_autoload_methods'    => array('post', 'put', 'delete'),
    'csrf_bad_request_on_fail' => false,
    'csrf_auto_token'          => true,
    'csrf_token_key'           => 'csrf_token',
    'csrf_expiration'          => 1,
    'csrf_rotate'           => true,

    But situation doesn't change.
    I receive same token everytime.
  • The fact that is the same with this config isn't good, and I think I have found an omission in the last commit that has caused that. I'm testing now, if it turns out it works, I'll push it.

    But I think you have a misunderstanding about what a CSRF token is. It is not a back-button protection. 

    It might work if you don't use the on-submit javascript function (which means you can't have multiple tabs open), but it will not work otherwise, as when you submit the form after using "back", the script will just pull the valid token from the cookie and insert it in the form. So it will check out ok again...
  • Update committed.

    Tested with expiring tokens, tokens valid for the entire session, and forced token rotation.
  • I know CSRF token is not suitable for a back-button protection use.
    It can not cover all situation. But in this case I think it works well.


    I have confirmed new commit. It works.
    Thank you.

  • Thanks for the confirmation.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion