Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FORMS] Protection against CSRF attacks should be AJAX friendly #5187

Open
elvinas-liut opened this issue Mar 16, 2016 · 8 comments
Open

[FORMS] Protection against CSRF attacks should be AJAX friendly #5187

elvinas-liut opened this issue Mar 16, 2016 · 8 comments
Labels
affects/v4 type/bug

Comments

@elvinas-liut
Copy link
Contributor

Protection against CSRF attacks should be AJAX friendly, just like getValidationErrorResponse().
Now it breaks ajax requests if php session is expired.
@dhensby
Copy link
Contributor

dhensby commented Mar 19, 2016

What way do you want it to be nicer?

@tractorcow
Copy link
Contributor

If the PHP Session is expired, then the in-cms authentication should popup, and request the user to login again.

Once that's done, it's meant to re-populate all CSRF hidden inputs in the current page.

If your session is expiring, are you getting the CMS popup requesting you to re-enter your password?

@dhensby
Copy link
Contributor

dhensby commented Mar 21, 2016

I had thought this was more aimed at front end, not cms, ajax

@tractorcow
Copy link
Contributor

Hm, maybe the error condition isn't well catered for... you could be posting to an un-authenticated form, although the CSRF itself could fail. In which case, maybe the CMS re-authentication won't kick in properly. :)

I think in this case I'll need a more concise error reproduction process, if you are able to help, @uniun .

Which form did you post to, what url, what was the expected response, and what was the actual response? Were you expecting json and getting html, right?

@elvinas-liut
Copy link
Contributor Author

Sorry for the late response.

@dhensby is right, I was talking about frontend.

Sometimes session lifetime is very short and you cannot increase because you are not allowed to change it. Lets say the session lifetime is just about 10mins and you leave the page with a form for 15mins. Then do AJAX form submission.

Form checks for CSRF attacks and redirects you back instead of rendering a form: Form.php#L380.

But I think that it could check for an AJAX request and render a form, just like on Form.php#L501.

@tractorcow
Copy link
Contributor

Ok, my ideal fix for this is posted on another issue... I've responded to thousands and can't remember where it is though... take hard coded logic out of Form.php and put it into a CSRFFormField, and implement validate() logic there.

That way invalid forms will trigger normal formfield validation, rather than having custom handling that breaks cms randomly.

@zanderwar
Copy link
Contributor

@tractorcow is this still planned?

In other CMS (Invision Power Suite) for example. They would have a simple function: $this->getCSRFtoken() which would output the hidden field, then on the recipient side of things you could have a one-liner $this->validateCSRFtoken()

Firesphere added a commit to Firesphere/silverstripe-framework that referenced this issue Oct 1, 2016
@Firesphere
silverstripe#5187 Move all framework Shortcode Providers to the same …
06d2111 
…namespace.
@sminnee sminnee changed the title Protection against CSRF attacks should be AJAX friendly [FORMS] Protection against CSRF attacks should be AJAX friendly Oct 6, 2018
@maxime-rainville
Copy link
Contributor

Can someone confirmed if this is still a problem in SS4?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects/v4 type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@sminnee @dhensby @tractorcow @maxime-rainville @elvinas-liut @emteknetnz @zanderwar