Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
DarkMatter2016-05-31 15:16:37
PHP
DarkMatter, 2016-05-31 15:16:37

Is it possible for those who are in the tank about CSRF?

I have read https://habrahabr.ru/post/235247/ and other articles on smaller resources.
Now I have cookies set for 1 hour in them, except for the name of the cookie, nothing is stored, email is stored in the session, id and the session itself is not stored anywhere (except for the temp server, of course).
If I understand correctly, then:
1. The user is authorized, during authorization we generate a token for him and put it in the session
2. In any form there is a hidden token field that is filled without the knowledge of the user with data from the session
3. But while receiving form data from the form, the incoming token must somehow compare with the original, otherwise you can send any and all this is meaningless. It turns out that there would be an original in point 1 token should be written not only to the session, but to the database from which it should be extracted for comparison at each check.
And to update it in the database with each authorization...
4. It is impossible to protect get-requests with tokens
Is this the case or did I miss something?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
X
xfg, 2016-05-31
@darkmatter

4. Get-requests cannot be protected with tokens

Perhaps, but not necessary. You should not do anything other than serve content on a get request. Update/delete/create should use POST if it's a classic website and PUT/DELETE/POST if it's a RESTful API.
Have the client send the csrf token in a POST request. Let the server save the csrf token to the session when starting the session. Let the server, before performing a POST request, check that the token from the request matches the one in the session.
It is redundant to store the token in the database. By saving to the session, you will always have access to it, the client will not be able to change it in any way.

Report
A
Artem Soshnikov, 2016-05-31
@artem90

Look towards ready-made solutions, like this:
https://github.com/BKcore/NoCSRF
If you want to understand how it all works, you can open the code of this library

Report
#
#algooptimize #bottize, 2016-05-31
@user004

There should be ready-made solutions, look how it is implemented there, such as asp mvc. It's better not to shove anything in the geth, and in general it's better not to use it in many places. If there is no session, why is there a question about this vulnerability at all? The session is not stored, how is it? The token must match the session and eg the path.

Similar questions
B
Boris Greinov2021-03-18 20:53:14
Synthesizing speech to a website but not Web Speech Api? 3Reply
R
Rooly2021-03-23 11:40:40
How to properly organize apiResource Laravel? 2Reply
A
adam_carraway2018-03-19 19:52:35
Why doesn't php7 work in ubuntu? 3Reply
I
Ilya123452021-07-14 11:02:37
Tor + PHP + Selenium? 1Reply
O
Optimus2015-11-11 19:09:29
PDO php questions? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question