CSRF Protection

Question

CSRF Protection

Pavlo Sadovyi May '13

Created May '13	Last Reply Jun '20	Replies 12	Views 6614	Votes 6

Pavlo Sadovyi 23.6k

May '13

Hi all! Who knows how can I protect all forms (~10 forms) on page of CSRF? I already tried to set hidden input:

{{ form.render('csrf', ['value': security.getToken()]) }}

in form builder class:

// CSRF
$csrf = new Hidden('csrf');
$csrf->addValidator(
    new Identical(array(
        'value' => $this->security->getSessionToken(),
        'message' => $t->form->post->csrf
    ))
);

But it's always validating as false. I have 3 suggestions:

I should start session in some BaseController, but I don't know how to do it.. Help plz!
Every form have an unique value="...", but server side stores only last token... So on one page all forms protected from CSRF will fails except of last form. (I hope that's not true.)

Any suggestions?

6

Phalcon · Answer 1 · 2013-05-11T17:08:28-07:00

Check the example in Vokuro:

https://github.com/phalcon/vokuro/blob/master/app/config/services.php#L87 https://github.com/phalcon/vokuro/blob/master/app/views/session/signup.volt#L53 https://github.com/phalcon/vokuro/blob/master/app/forms/SignUpForm.php#L104

Pavlo Sadovyi · Answer 2 · 2013-05-12T07:01:18-07:00

Hi! Thanks for your answer, have one more question can I use all of this but without form builder??

Phalcon · Answer 3 · 2013-05-12T11:06:36-07:00

Check this chapter in the documentation: https://docs.phalcon.io/en/latest/reference/security.html#cross-site-request-forgery-csrf-protection

Pavlo Sadovyi · Answer 4 · 2013-05-16T12:35:19-07:00

Huh! That's not so obivous, that what I need this line:

if ($this->request->isPost()) {

to validate the token, even route to action is already declared as addPost(...) ;)

Pavlo Sadovyi · Answer 5 · 2013-05-20T11:37:36-07:00

PFFFFFFFFFFFFF I need your help again! I did exaclty the same like in that chapter. I developing app like a forum, on one page I have a 10 themes on page and under each theme I have a form called "Quick post" each of this form protected from CSRF. And when I testing it, answering in many themes on one page, my token is invalidates very often.

Action that handles adding post request

public function addAction($boardAbbr)
    {
        if ($this->request->isPost()) {
            if ($this->security->checkToken()) {

              ..................

               if (!$post->save()) {
                    foreach ($post->getMessages() as $message)
                    $this->flash->error((string) $message);

                } else {
                    if ($this->request->isAjax()) {
                        echo json_encode(array(
                            'status' => true,
                            'message' => 'post added.',
                            'data' => array(
                                'post_id' => $post->id,
                                'pictures' => explode('|', $names)
                            )
                        ));
                    }
                    else {
                        $this->flashSession->success('post added.');
                        $this->response->redirect('#post-'.$post->id);
                    }
                }
            } else { echo 'token is bad.'; }

In form:

<input type="hidden" name="{{ security.getTokenKey() }}" value="{{ security.getToken() }}">

Token invalidates from time to time ..... What can I do??

Jesse Boyer · Answer 6 · 2013-11-25T20:50:06-07:00

Get the CSRF tokens in the controller through the Security and assign it to the view.

<?php
class AccountController extends BaseController
{
    public function indexAction()
    {
        $this->view->setVars([
            'tokenKey' => $this->security->getTokenKey(),
            'token' => $this->security->getToken()
        ]);
    }
}

Then My view I re-used the variable:

<form method="post" action="{{ url('account/doEmailUpdate') }}">
    <input type="text" name="email" class="form-control" placeholder="Email address" autofocus>
    <input type="text" name="confirm_email" class="form-control" placeholder="Confirm">
    <input type="hidden" name="{{ tokenKey }}" value="{{ token }}" />
    <input class="btn btn-lg btn-primary btn-block" type="submit" value="Submit">
</form>
<form method="post" action="{{ url('account/doPasswordUpdate') }}">
    <input type="text" name="password" class="form-control" placeholder="New Password">
    <input type="text" name="confirm_password" class="form-control" placeholder="Confirm">
    <input type="hidden" name="{{ tokenKey }}" value="{{ token }}" />
    <input class="btn btn-lg btn-primary btn-block" type="submit" value="Submit">
</form>

MEHEUT · Answer 7 · 2014-05-02T02:42:27-07:00

Thank you for this advice. Actually, to manage token for form security, I found 2 things important:

First One: if you want to add a form using getToken() from IndexController, you will have a problem as getToken() will be called each time, so that the csrf checking will fail. My solution; create a HomeController and setup default controller at home
Second One: if you have more than one form for same action/controller, if each form call getToken(), you will have 2 different tokens. So the last form will work but not the first one Jesse solution solve this problem.

I learn Phalcon/csrf with Vokuro sample and I'm not sure this the best way as it's not dealing with form in index page or multi-form on same page

Sorry for my english, I hope that'll help

Sergey · Answer 8 · 2014-06-15T07:30:07-07:00

That version with support for multiple tokens. https://github.com/ustasby/phalcon-class/blob/master/Token.php

saeed-jafari · Answer 9 · 2014-12-07T10:46:28-07:00

I know the problem is solved but there is an easier way too,

if you see checkToken method defenition:

public boolean checkToken ([string $tokenKey], [string $tokenValue])

it gets input parameters so you just need to define unique key for each form and when you want to check token, pass both key and the value to checkToken method.

Steven Rhodes · Answer 10 · 2016-05-16T16:24:10-07:00

For pages that have more than one form you can use the same token for all forms. You are protecting the page and all form(s) from cross site attacks. Protecting multiple forms individually has no advantage.

Thank you for this advice. Actually, to manage token for form security, I found 2 things important:

First One: if you want to add a form using getToken() from IndexController, you will have a problem as getToken() will be called each time, so that the csrf checking will fail. My solution; create a HomeController and setup default controller at home

Second One: if you have more than one form for same action/controller, if each form call getToken(), you will have 2 different tokens. So the last form will work but not the first one Jesse solution solve this problem.

I learn Phalcon/csrf with Vokuro sample and I'm not sure this the best way as it's not dealing with form in index page or multi-form on same page

Sorry for my english, I hope that'll help

Videles · Answer 11 · 2017-05-01T03:16:21-07:00

I had a problem getting the check for the token to work on a login form and i could solve it using your method.


$token    = $this->request->getPost('csrf');

if($this->security->checkToken( $token, $this->security->getSessionToken()) ) {

}

Lee Howarth · Answer 12 · 2018-03-19T20:29:11-07:00

I think it is worth noting that the code below:

    $security = new Hidden('security');
    $security->addValidators([
        new Identical([
            'value' => $this->security->getSessionToken()
        ])
    ]);
    $this->add($security);

Can be classed as insecure... the secure way would be:

    $security = new Hidden('security');
    $security->addValidators([
        new PresenceOf([
        ]),
        new Identical([
            'value' => $this->security->getSessionToken()
        ])
    ]);
    $this->add($security);

If the client does not have cookies enabled, then the session token would be null and that means the csrf input can be removed and the form would submit.

DrJLT · Answer 13 · 2019-12-13T03:44:28-07:00

This is the best solution IMO.

Get the CSRF tokens in the controller through the Security and assign it to the view.

<?php
class AccountController extends BaseController
{
   public function indexAction()
   {
       $this->view->setVars([
           'tokenKey' => $this->security->getTokenKey(),
           'token' => $this->security->getToken()
       ]);
   }
}

Then My view I re-used the variable:

<form method="post" action="{{ url('account/doEmailUpdate') }}">
   <input type="text" name="email" class="form-control" placeholder="Email address" autofocus>
   <input type="text" name="confirm_email" class="form-control" placeholder="Confirm">
   <input type="hidden" name="{{ tokenKey }}" value="{{ token }}" />
   <input class="btn btn-lg btn-primary btn-block" type="submit" value="Submit">
</form>
<form method="post" action="{{ url('account/doPasswordUpdate') }}">
   <input type="text" name="password" class="form-control" placeholder="New Password">
   <input type="text" name="confirm_password" class="form-control" placeholder="Confirm">
   <input type="hidden" name="{{ tokenKey }}" value="{{ token }}" />
   <input class="btn btn-lg btn-primary btn-block" type="submit" value="Submit">
</form>

DrJLT · Answer 14 · 2019-12-14T07:20:49-07:00

Need to point out that the answer above has a major issue with multiple windows / tabs.

I also found out the hard way that getSessionToken() is closely related to getToken(). It likes to become null unless getToken() is called on every form.

The only solution is to store the token in session. This is the only right solution that supports multiple windows: https://forum.phalcon.io/discussion/18827/csrf-security

asdfd33e · Answer 15 · 2020-06-22T17:16:30-07:00

I developing app like a discussion board, on one web page I even have a ten issues on web page and below each subject I actually have a form called "Quick submit" every of this shape blanketed from CSRF.