How to check the CSRF token?

Question

How to check the CSRF token?

xaero Apr '16

Created Apr '16	Last Reply Apr '16	Replies 4	Views 2475	Votes 0

xaero 31.3k

Apr '16

I notice that in the example Vökuró, there is CSRF:

// CSRF
$csrf = new Hidden('csrf');

$csrf->addValidator(new Identical(array(
'value' => $this->security->getSessionToken(),
'message' => 'CSRF validation failed'
)));

$this->add($csrf);

// in volt:
{{ form.render('csrf', ['value': security.getToken()]) }}

According to the manual, we should check if the CSRF token is valid:

if ($this->request->isPost()) {
  if ($this->security->checkToken()) {
  // The token is OK
  }
}

But in the example Vökuró, I didn't see any code that can check the CSRF token... why?

angelvega93 · Answer 1 · 2016-04-14T22:48:00-07:00

Vokuro is using an older version of phalcon, and if you try in the new version csrf always fails.

mraspor · Answer 2 · 2016-04-15T03:59:57-07:00

This should be helpful (Phalcon 2.0.9):


// In services.php 
$di->setShared('security', function () {

    $security = new Security();

    // set Work factor (how many times we go through)
    $security->setWorkFactor(12); // can be a number from 1-12

    // set Default Hash
    $security->setDefaultHash(Security::CRYPT_BLOWFISH_Y); // choose default hash

    return $security;

});

// In YourForm.php
class YourForm extends Form {

    // Holds token key/name
    protected $_csrf;

    public function initialize() {

        // Some other elements...

        // CSRF protection
        $csrf = new Hidden($this->getCsrfName());
        $csrf->setDefault($this->security->getToken())
                ->addValidator(new Identical([
                 'accepted'   => $this->security->checkToken(),
                 'message' => 'CSRF forgery detected!'
             ]));
        $this->add($csrf);
    }

    // Generates CSRF token key
    public function getCsrfName()
    {
        if (empty($this->_csrf)) {
            $this->_csrf = $this->security->getTokenKey();
        }

        return $this->_csrf;
    }
}

// In volt view 

{{ form.render(form.getCsrfName()) }}

I have this code in FormBase.php any each new form just extends from this class.

xaero · Answer 3 · 2016-04-15T17:47:11-07:00

xaero
31.3k

Apr '16

That works! Thank you!

xaero · Answer 4 · 2016-04-15T20:04:21-07:00

Hi, @mraspor

I'm not sure if the CSRF token cheching really works. following is the code

services.php:

$di->setShared('security', function () {
    $security = new Security();
    $security->setWorkFactor(12);
    $security->setDefaultHash(Security::CRYPT_BLOWFISH_Y); // choose default hash
    return $security;
});

$di->set('crypt', function () use ($config) {
    $crypt = new Crypt();
    $crypt->setKey($config->application->cryptSalt);
    return $crypt;
});

FormBase.php and OtherForm.php, just like what you show

class FormBase extends Form
{
    protected $_csrf;

    public function initialize()
    {
        $csrf = new Hidden($this->getCsrfName());
        //$csrf->clear();
        $csrf->setDefault($this->security->getToken())
            ->addValidator(new Identical([
                'accepted'   => $this->security->checkToken(),
                'message' => 'CSRF forgery detected!'
            ]));
        //var_dump($this->security->getToken());
        $this->add($csrf);
    }

    // Generates CSRF token key
    public function getCsrfName()
    {
        if (empty($this->_csrf)) {
            $this->_csrf = $this->security->getTokenKey();
        }

        return $this->_csrf;
    }
}

//other forms
class RegisterForm extends FormBase
{
    public function initialize($entity = null)
    {
        parent::initialize();
    }
}

And in the controller:

$form = new RegisterForm();
if ($this->request->isPost()) {
    if ($form->isValid($this->request->getPost()) == false) {
        foreach ($form->getMessages() as $message) {
            $this->flash->error((string) $message);
        }
    } else {
        $this->flash->success('ok');
        var_dump($this->request->getPost());
        var_dump($this->security->checkToken());
    }
}

when I fill the form, and manually modify the token value, and submit....It just says 'ok', seems the addValidator(new Identical(...)) can't work!

why?

huoybb · Answer 5 · 2016-04-15T22:01:21-07:00

Below is how I handle this CSRF problem:

1, in myForm class:


public static function buildResetPasswordForm()
    {
        $form = new Form();
        $form->add(new Password('password1'));
        $form->add(new Password('password2'));
        $form->add(new Hidden('csrf',['name'=>SecurityFacade::getTokenKey(),'value'=>SecurityFacade::getToken()]));
        $form->add(new Submit('重置'));
        return $form;
    }

2, in controller file :

if($this->request->isPost() && SecurityFacade::checkToken()){
            $data = $this->request->getPost();
            if($this->isTwoPasswordSame($data)){
                $user->changePassword($data['password1']);
                User::loginByUser($user);

                return $this->redirectByRoute(['for'=>'home']);
//                return $this->redirectByRoute(['for'=>'login']);
            }
            FlashFacade::error('两次密码输入不一致');
        }
        $this->view->form = myForm::buildResetPasswordForm();

3, in volt file:

    <div class="row">
        <div class="col-md-8 col-md-offset-2">
            <div class="panel panel-default">
                <div class="panel-heading">密码重置</div>
                <div class="panel-body">
                    {{ flash.output() }}
                    {{ form("method": "post","class":"form-horizontal","role":"form") }}

                    <div class="form-group">
                        <label class="col-md-4 control-label">输入密码</label>
                        <div class="col-md-6">
                            {{ form.render('password1',['class':"form-control"]) }}
                        </div>
                    </div>

                    <div class="form-group">
                        <label class="col-md-4 control-label">重新输入密码</label>
                        <div class="col-md-6">
                            {{ form.render('password2',['class':"form-control"]) }}
                        </div>
                    </div>
                    <div class="form-group">
                        <div class="col-md-6 col-md-offset-4">
                            {{ form.render('重置',['class':"btn btn-primary"]) }}
                        </div>
                    </div>
                    {{ form.render('csrf') }}

                    {{ endform() }}
                </div>
            </div>
        </div>
    </div>

note: I use the facade patterm like laravel, see more: https://forum.phalcon.io/discussion/10371/borrow-facade-design-pattern-from-laravel

xaero · Answer 6 · 2016-04-16T17:14:13-07:00

@huoybb 谢谢！你这个相当于扩展了phalcon的验证类？看得不是很懂，我要Phalcon原始的验证类

huoybb · Answer 7 · 2016-04-17T04:37:29-07:00

看手册啦！注意，Session和Security的设置需要事先设置好。

https://docs.phalcon.io/en/latest/reference/security.html#cross-site-request-forgery-csrf-protection

@huoybb 谢谢！你这个相当于扩展了phalcon的验证类？看得不是很懂，我要Phalcon原始的验证类