-
-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
One token per form #14
Comments
Adding one token per form will significantly increase the attack surface for the vast majority of web apps, because lots of valid tokens will never be consumed, leaving them available for compromise. However, separate tokens per form would be required if an application is to use AJAX to allow multiple forms per page to be submitted. How about adding a parameter to the |
Coincidentally, when I was submitting this repo to packagist, I forgot to This could be the solution to the problem of having many tokens out in the On Wed, 2 Mar 2016, 20:41 James Fellows, notifications@github.com wrote:
|
In the ArrayTokenStore, the tokens would effectively expire when the session expires. Are you suggesting having tokens automatically expire after a period of time? That would be a separate feature I guess. It would have a performance impact - I'd need to check every token's timestamp against the current time, but it's easy enough. |
I don't know whether it's a better solution, but it was certainly how Packagist did it. Regarding performance, wouldn't the timestamp only need to be checked when there is a POST made? Not every time the page renders? I'll do some research as to how other frameworks do it. |
Yes good point - in which case this would form a tiny part of the POST processing time. |
Just realised that we could be missing the point here. If the developer is going to use ajax for submitting forms, they will need a way of refreshing tokens on the client-side anyway - in case the user submits the same form twice. |
You're falling into the trap of jquery style ajax, where page logic is duplicated client side. The clean way of using ajax to submit forms is to simply perform a standard HTTP request, and just replace the part of the DOM that changes, including the new CSRF token from the new page. |
Isn't this library supposed to be good for the jquery crew too? :) |
We shouldn't introduce something that promotes bad coding; there's nothing inherently wrong with jquery's ajax, stopping jquery coders using this repo - I was referring to the tonne of bad advice online that gives jquery a bad name. To be clear: JavaScript/jquery/curl can use this library, but we should not introduce any mechanism for arbitrarily generating new tokens (via a URL call, for example), just to satisfy bad coding style. |
Rather than one token for all forms, this will allow ajax requests to use the already generated tokens rather than having to generate their own.
The text was updated successfully, but these errors were encountered: