Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token value per session #9

Closed
playinteractive opened this issue Aug 17, 2018 · 14 comments
Closed

Token value per session #9

playinteractive opened this issue Aug 17, 2018 · 14 comments
Labels
enhancement

Comments

@playinteractive
Copy link

Hi,

Is it possible to use one token name & value per session? Now is working on every request and the sess file is too long.

Thanks!
@peter279k
Copy link
Member

peter279k commented Aug 18, 2018
edited
Loading

@playinteractive, thank you for your reply.

According to the current approach. the token name and value are stored in the $_SESSION['CSRF'] associate array.

I think you want to separate this associate array and they possibly will be the $_SESSION['token_name'] and $_SESSION['token_value'] ?

I think it can be possible, but this is the small change or feature. The decision that it's up to the @s3b4stian.

Perhaps it can be the optional method to let developers decide to store them together or separation 👍 .

@s3b4stian
Copy link
Member

Thanks for the question!

Yes should be possible but isn't the scope of csrf token.

Token should be used on forms where the user do a dispositive action, a delete a modify or an update. On read action it should not be necessary.

Set up the token only for forms, look on the OWASP website for more information about this time of web attack!

@s3b4stian
Copy link
Member

s3b4stian commented Aug 18, 2018
edited
Loading

Reflecting on the space occupied, I could save in session, only the hash of the name and token value pair in order to save memory or disk space.

I have to try the change.

However it considers the use of the token only for the forms.

@peter279k
Copy link
Member

@s3b4stian, thank you for your reply. I think it's not necessary to separate the token name and value from the $_SESSION['CSRF'].

If we have to separate this, it's okay to do that 👍.

@playinteractive
Copy link
Author

Hi peter279k and s3b4stian,

Thanks for your reply. What I mean is this (extracted from the sess file):

CSRF|a:34:{s:21:"csrf_df0336966fbc4caf";a:2:{s:4:"name";s:21:"csrf_df0336966fbc4caf";s:5:"value";s:64:"9f72afccf70dea1f6ac95dff0a40260ca638fd26d41bde8260154523494cb620";}s:21:"csrf_cae14e4ac83acf1c";a:2:{s:4:"name";s:21:"csrf_cae14e4ac83acf1c";s:5:"value";s:64:"c91af11bfd228d40d60248220ff6dbcf7f2819798d6f49fd73f74be82ff08bc6";}s:21:"csrf_1b791c1958f5d44d";a:2:{s:4:"name";s:21:"csrf_1b791c1958f5d44d";s:5:"value";s:64:"ff9aa8165f6516771081737e2b9208c35ff46e2e137172e9e031988d6b1ace80";}s:21:"csrf_9b1ea1e843d96dd6";a:2:{s:4:"name";s:21:"csrf_9b1ea1e843d96dd6";s:5:"value";s:64:"e713b0f4ca1452e2664b4b42ea19a8eae8a8cb4c74b4ecfe5269624812f35828";}s:21:"csrf_b6ede12d086c70d6";a:2:{s:4:"name";s:21:"csrf_b6ede12d086c70d6";s:5:"value";s:64:"4d62f9822b71e4a78dfba8f25b74fea898c3b90f5518f9898950e883e32db392";}s:21:"csrf_55d1f890e320b1a4";a:2:{s:4:"name";s:21:"csrf_55d1f890e320b1a4";s:5:"value";s:64:"44100f5007ae1a3b6bf6d2647d985e79294a1ce8304da3344523cbaf3d36cfbf";}s:21:"csrf_f48432f4e5742a7f";a:2:{s:4:"name";s:21:"csrf_f48432f4e5742a7f";s:5:"value";s:64:"49bee8c11e2287d0a5165a23186616633e583fe446cb6ffc1626f5d483bf9300";}s:21:"csrf_70f3168f30e2b7ee";a:2:{s:4:"name";s:21:"csrf_70f3168f30e2b7ee";s:5:"value";s:64:"5c26497fc4b550820b4572aa9d63dee485df84e80d5f4c70faddf7bfba0d840e";}s:21:"csrf_4e8ea3e7954d87c2";a:2:{s:4:"name";s:21:"csrf_4e8ea3e7954d87c2";s:5:"value";s:64:"8df8c3a40d34cebce4b25dff34e7de799e0b20c453f071b39ce6d63153635409";}s:21:"csrf_a777b48d3b0314b4";a:2:{s:4:"name";s:21:"csrf_a777b48d3b0314b4";s:5:"value";s:64:"d11812da9e8fae2064f8d20bb16b5df65b61c77c26add8de5535fe95217cafd3";}s:21:"csrf_676af5d8d708cd07";a:2:{s:4:"name";s:21:"csrf_676af5d8d708cd07";s:5:"value";s:64:"b7f44d78fb437b036538f4f3a66ca23122c4698cfb468538e6ae0f85d9079abd";}s:21:"csrf_aaed2a2e98eb2de5";a:2:{s:4:"name";s:21:"csrf_aaed2a2e98eb2de5";s:5:"value";s:64:"23551071660c95daf61643d353fee2690d69528efcd8af37f8d6e6d592cfa4b3";}s:21:"csrf_137aa228ea657eb9";a:2:{s:4:"name";s:21:"csrf_137aa228ea657eb9";s:5:"value";s:64:"dccdafeed06bef2dfddccc493d23227de51b2cd045059b696169d21b1b08fb14";}s:21:"csrf_eb5cb10507d6da51";a:2:{s:4:"name";s:21:"csrf_eb5cb10507d6da51";s:5:"value";s:64:"1746d609f83fbebb2fe989c00bd82bd6846e24ec6cf2492c7b7077f37c8f4fad";}s:21:"csrf_a0990357e41fd5ed";a:2:{s:4:"name";s:21:"csrf_a0990357e41fd5ed";s:5:"value";s:64:"e5ffaf4318bde7c74c80be6abb120ebb1e6d61b40ff3abdd09cadd95c8b4081d";}s:21:"csrf_4b905c4278c59856";a:2:{s:4:"name";s:21:"csrf_4b905c4278c59856";s:5:"value";s:64:"4d676d8babd4bdd36941916bd4b4ad5036a897ecb0d4f2a9afba9fa810101f76";}s:21:"csrf_3e18049174df6472";a:2:{s:4:"name";s:21:"csrf_3e18049174df6472";s:5:"value";s:64:"9dc754499c87b8605a9210f227fe056042bc0df003e23c0e93835383041b552c";}s:21:"csrf_0df5b6445fe5d41c";a:2:{s:4:"name";s:21:"csrf_0df5b6445fe5d41c";s:5:"value";s:64:"a3e666ea25c88484ad299d65add927a59323f7cd3ba9468838a5bd353ff0c8e5";}s:21:"csrf_97f393c9ae3bc967";a:2:{s:4:"name";s:21:"csrf_97f393c9ae3bc967";s:5:"value";s:64:"2989892928bc53471c66ebb530fab38fefaab0a7ecaea8a90e760f04ca4cadc8";}s:21:"csrf_a9a923e88590182a";a:2:{s:4:"name";s:21:"csrf_a9a923e88590182a";s:5:"value";s:64:"873d585f020710ae8b58e4a968cd079a91d48b252780863b56aef8ff4bb35dca";}s:21:"csrf_5488a56a5077b6d1";a:2:{s:4:"name";s:21:"csrf_5488a56a5077b6d1";s:5:"value";s:64:"a447c08438aaf0bba05a4377f4a1344b7dc40d9678c41649d6b22504d927ebb3";}s:21:"csrf_5eedf0637bbd6010";a:2:{s:4:"name";s:21:"csrf_5eedf0637bbd6010";s:5:"value";s:64:"0b1fd1a081084149f9a93acb84a32363ac025595d7c9e5d2be9e729e9cdd5f13";}s:21:"csrf_589e214e676c7cf2";a:2:{s:4:"name";s:21:"csrf_589e214e676c7cf2";s:5:"value";s:64:"ef31f3d08575402610589735038742ccb59494df30f006a0f6f6c463c88f73ff";}s:21:"csrf_00a92bb03106daae";a:2:{s:4:"name";s:21:"csrf_00a92bb03106daae";s:5:"value";s:64:"a582a3863b5b57a41bd34f62b728f52a5527a4660c6dba724f64ae1429544c2e";}s:21:"csrf_9ba2384ec8a70bd7";a:2:{s:4:"name";s:21:"csrf_9ba2384ec8a70bd7";s:5:"value";s:64:"3169e627df932bc314b9bd1cce02b13fc77b210da9c5a7108b5406613c30cd0a";}s:21:"csrf_52d6d71a00f1b458";a:2:{s:4:"name";s:21:"csrf_52d6d71a00f1b458";s:5:"value";s:64:"5de8226d47be93a73fa0444f0d9cb2be716bd0a7ebe410d3ea56fb168a416d08";}s:21:"csrf_c40b32fe800b74a2";a:2:{s:4:"name";s:21:"csrf_c40b32fe800b74a2";s:5:"value";s:64:"0cba99ec91c775270084fa07630bafa5c455a71ba612dd8c583d59ba7636eb6f";}s:21:"csrf_0c352c8bf9973331";a:2:{s:4:"name";s:21:"csrf_0c352c8bf9973331";s:5:"value";s:64:"5f176216fa268c9895308d1ea4874fb00e2d4decafe22b1cfd36f713d049ad70";}s:21:"csrf_d2bc3e483f79c1eb";a:2:{s:4:"name";s:21:"csrf_d2bc3e483f79c1eb";s:5:"value";s:64:"d2dc6c920c95272005f0cd7a55994968b26731690e011ee41856988502ecd09e";}s:21:"csrf_22569c549acd9f89";a:2:{s:4:"name";s:21:"csrf_22569c549acd9f89";s:5:"value";s:64:"a6e04d245791e8527c4d2f336006b3bef7be65e1a3e3e1bb0ef6370cc2f5af66";}s:21:"csrf_19c6a9794ec134b8";a:2:{s:4:"name";s:21:"csrf_19c6a9794ec134b8";s:5:"value";s:64:"d4b5f925f68ec82065e10aafb632ff698dc9c2bd4994cb5d7186e39c3181bf89";}s:21:"csrf_a449ea90a027cbdb";a:2:{s:4:"name";s:21:"csrf_a449ea90a027cbdb";s:5:"value";s:64:"eb40af0f98fd425ccdfd6aa71f04bbe29fa3dccdca395f6625c4a43207bf2b6d";}s:21:"csrf_b87ccf7ec89dd9a7";a:2:{s:4:"name";s:21:"csrf_b87ccf7ec89dd9a7";s:5:"value";s:64:"b14d7ba16bfbbe7923289a1c93dcf468e7147021cfa0e4038910506744826c41";}s:21:"csrf_04c98cc0bed7ddcc";a:2:{s:4:"name";s:21:"csrf_04c98cc0bed7ddcc";s:5:"value";s:64:"14df21e235d4b091259b78a67c1ff80913eb77953f0e30ce6d328c70f80b8717";}}

As you can see there is a lot of "garbage data" in the file, so I have two questions:

  1. All of these tokens are working? Or only the last one?
  2. This is why I asked you about using only one value/name per session.

Acording to:

https://security.stackexchange.com/questions/22903/why-refresh-csrf-token-per-form-request

For the reasons already discussed, it is not necessary to generate a new token per request. It brings almost zero security advantage, and it costs you in terms of usability: with only one token valid at once, the user will not be able to navigate the webapp normally. For example if they hit the 'back' button and submit the form with new values, the submission will fail, and likely greet them with some hostile error message. If they try to open a resource in a second tab, they'll find the session randomly breaks in one or both tabs. It is usually not worth maiming your application's usability to satisfy this pointless requirement.

@peter279k
Copy link
Member

@playinteractive, thank you for your reply.
Do you use the unset function to destroy the $_SESSION['CSRF'] before generating the CSRF token?
I think that array appends the values and they're not deleted before appending the token.

@playinteractive
Copy link
Author

Yes true, I'm using now:

if (isset($_SESSION['CSRF'])) unset($_SESSION['CSRF']);

And works fine! Thanks.

Anyways, maybe you can improve this class adding the possibility to choose using one token per session or request!

Cheers.

@s3b4stian
Copy link
Member

Which version are you using. Every token should be removed from the session superglobal when validate method is used. I do more tests tomorrow!

@s3b4stian
Copy link
Member

About your first question, all tokens are working! Could you peste here the code snippet when you check the token?

@peter279k
Copy link
Member

peter279k commented Aug 20, 2018
edited
Loading

Hi @playinteractive , thank you for your reply. According to the source code on this repository, the unset function will reset correctly the $_SESSION['CSRF'] after calling the validate method.

After calling the validate method, it will also call the doChecks and deleteToken methods.

I think you will generate the new token before calling validation method.

@s3b4stian, perhaps we can let the deleteToken public method or develop the resetToken method to complete this work? I think we should not call the validate if we only want to reset the CSRF token 👍 .

Also, this feature usage should be added in README.md.

@playinteractive
Copy link
Author

Hi there, here is my code to validate:

Before send form:

if (session_status() == PHP_SESSION_NONE) @session_start();

// With this I only work with one token in the sess file
if (!isset($_GET[DIRECTORY_FORM])) if (isset($_SESSION['CSRF'])) unset($_SESSION['CSRF']);

$csrf = new Linna\CsrfGuard(64, 32);

$token = $csrf->getToken();

After send form:

if (!$csrf->validate($_POST)) echo 'Wrong token';

@s3b4stian Yes, after calling validate method unset works fine but only when you send the form. If you refresh a login page the class is generating new tokens making the sess file too long.

@s3b4stian
Copy link
Member

Ok! Perfect!

To reduce the length of the session file, try to set the class like this:

$csrf = new Linna\CsrfGuard(8, 32);

Todo

  • I next release I will add a cleaning mechanism that, when called delete older and surely unused tokens, preserving latest added.
  • README.md file need an update for explain in more exaustive way how the token storage works.

@peter279k
Copy link
Member

peter279k commented Aug 21, 2018
edited
Loading

@s3b4stian, thank you for your reply. I think it's fine to implement new features for my previous comment.

If having any problems, please let me know and I will help you!

@playinteractive
Copy link
Author

Great, thanks @s3b4stian and @peter279k

Cheers!

s3b4stian added a commit that referenced this issue Aug 24, 2018
@s3b4stian
Storage clean system added as Issue #9
b9b8d0e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@playinteractive @peter279k @s3b4stian