csrf, switch from token per request to token per session. solves issu…

…es when using multiple tabs.
opnsense · Feb 2, 2017 · f20640d · f20640d · fraenki · Feb 4, 2017
1 parent 895e30d
commit f20640d
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 19 deletions.
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
@@ -177,7 +177,7 @@ public function beforeExecuteRoute($dispatcher)
             }
 
             // check for valid csrf on post requests
-            if ($this->request->isPost() && !$this->security->checkToken()) {
+            if ($this->request->isPost() && !$this->security->checkToken(null, null, false)) {
                 // post without csrf, exit.
                 $this->response->setStatusCode(403, "Forbidden");
                 return false;
@@ -195,10 +195,9 @@ public function beforeExecuteRoute($dispatcher)
         }
 
         // include csrf for volt view rendering.
-        $this->view->setVars([
-            'csrf_tokenKey' => $this->security->getTokenKey(),
-            'csrf_token' => $this->security->getToken()
-        ]);
+        $csrf_token = $this->session->get('$PHALCON/CSRF$');
+        $csrf_tokenKey = $this->session->get('$PHALCON/CSRF/KEY$');
+        $this->view->setVars(['csrf_tokenKey' => $csrf_tokenKey,'csrf_token' => $csrf_token]);
 
         // link menu system to view, append /ui in uri because of rewrite
         $menu = new Menu\MenuSystem();

diff --git a/src/www/csrf.inc b/src/www/csrf.inc
@@ -28,8 +28,6 @@
 
 class LegacyCSRF
 {
-    private $securityToken = null;
-    private $securityTokenKey = null;
     private $di = null;
     private $security = null;
     private $session = null;
@@ -58,16 +56,13 @@ class LegacyCSRF
     {
         $result = false; // default, not valid
         $this->Session();
-        // do not destroy token after successfull validation, some pages use ajax type requests
-        $this->securityTokenKey = $_SESSION['$PHALCON/CSRF/KEY$'];
-        $this->securityToken = !empty($_POST[$this->securityTokenKey]) ? $_POST[$this->securityTokenKey] : "";
-        if (empty($this->securityToken)) {
+        $securityTokenKey = $_SESSION['$PHALCON/CSRF/KEY$'];
+        if (empty($_POST[$securityTokenKey])) {
             if (!empty($_SERVER['HTTP_X_CSRFTOKEN'])) {
-                $this->securityToken = $_SERVER['HTTP_X_CSRFTOKEN'];
-                $result = $this->security->checkToken(null, $this->securityToken, false);
+                $result = $this->security->checkToken(null, $_SERVER['HTTP_X_CSRFTOKEN'], false);
             }
         } else {
-            $result = $this->security->checkToken($this->securityTokenKey, $this->securityToken, false);
+            $result = $this->security->checkToken($securityTokenKey, $_POST[$securityTokenKey], false);
         }
         // close session after validation
         session_write_close();
@@ -77,12 +72,14 @@ class LegacyCSRF
     private function newToken()
     {
         $this->Session();
-        // only request new token when checkToken() hasn't saved one
-        if ($this->securityToken == null) {
-            $this->securityToken = $this->security->getToken();
-            $this->securityTokenKey = $this->security->getTokenKey();
+        // only request new token when session has none
+        $securityTokenKey = $_SESSION['$PHALCON/CSRF/KEY$'];
+        $securityToken = $_SESSION['$PHALCON/CSRF$'];
+        if (empty($securityToken) || empty($securityTokenKey)) {
+            $securityToken = $this->security->getToken();
+            $securityTokenKey = $this->security->getTokenKey();
         }
-        return array('token'=>$this->securityToken, 'key' => $this->securityTokenKey);
+        return array('token'=>$securityToken, 'key' => $securityTokenKey);
     }
 
     public function csrfRewriteHandler($buffer)