Allow Subdomains on CSRF Protection

Question

Allow Subdomains on CSRF Protection

Ahmet Bora Mar '17

Created Mar '17	Last Reply Mar '17	Replies 3	Views 907	Votes 0

Ahmet Bora 58.1k

Mar '17

My application is: app.example.com (Phalcon MVC)

My website is: www.example.com (PHP Native)

I want to app login from website with CSRF but i couldnt solve.

I'm getting CSRF token from application api like that:

public function getCsrfTokenAction()
{        
    return $this->response->setJsonContent(array(
            'key' => $this->security->getTokenKey(), 
            'value' => $this->security->getToken()
        ));
}

And application response service like that:

$di->setShared('response', function () {
    $response = new Response();                      
    $response->setHeader('Access-Control-Allow-Origin', 'example.com');   
    $response->setHeader('Access-Control-Allow-Credentials', true);   
    $response->sendHeaders();

    return $response;
});

But this is not working. What missing?

Thanks

le51 · Answer 1 · 2017-03-28T12:01:36-07:00

Hi,

I think you have to deal with CORS: https://enable-cors.org/

or https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

But, I imagine you already know that

And regarding how is your website build (single page javascript frontend app, or a kind of classical php website -like a phalcon mvc one- ) solution may be different ...

Is

$di->setShared('response', function () { ....

set in your api app or in your website app ?

Ahmet Bora · Answer 2 · 2017-03-28T12:09:46-07:00

Hmm, I'm trying PHP website via POST to Phalcon MVC application. Not javascript.

I have tried Access-Control-Allow-Origin on htaccess, php header and phalcon response but didnt work.

Dou you have an idea?

Website is PHP, Application is Phalcon MVC

le51 · Answer 3 · 2017-03-28T12:52:21-07:00

Dou you have an idea?

unfortunately not ! But for a future project I will have to dig in this kind of scenario ... So I will try to help

Just for clarification: you said that api.example.com is a phalcon mvc app. Does that mean that the sended responses from that host are full html pages ?

How do the www.example.com pages request api.example.com Because usually this situation happend (and maybe is only supported) through XML httpRequest objects.

And for "debuging" purpose, does a cross origin request work if you disable all the csrf token chek ?

Wojciech Ślawski · Answer 4 · 2017-03-30T02:22:19-07:00

Wojciech Ślawski
145.0k

Mar '17

Most likely it's about session - you need to set subdomain session.