View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005890 | Composr | core | public | 2024-08-14 19:29 | 2024-09-06 01:58 |
| Reporter | Patrick Schmalstig | Assigned To | Patrick Schmalstig | ||
| Severity | Feature-request | ||||
| Status | closed | Resolution | won't fix | ||
| Product Version | |||||
| Fixed in Version | |||||
| Summary | 0005890: Consider additionally validating CSRF via cookie | ||||
| Description | As an added layer of security, consider also setting the CSRF token as an HttpOnly / Secure cookie, and upon server-side validation, validate both the POST parameters and the cookies to ensure the CSRF token has been passed in by both methods and is correct. Make sure this will work for AJAX requests especially. And check to see if there are any downsides to this approach, such as compatibility (e.g. what if cookies are rejected?). | ||||
| Additional Information | Implementing this will make forging the token exceptionally harder by attackers. | ||||
| Tags | Roadmap: v11, Type: Security | ||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
| related to | 0005887 | resolved | Patrick Schmalstig | Session cookies should always be HttpOnly / Secure where applicable |
|
|
Will need to make special considerations for http_requests. If we REALLY wanted to go hardcore, we could also make it so the cookie is a different token from what is put on the forms. Both are stored with the user session. And both need to be validated accordingly and matched correctly server-side to pass. That way, if the token is stolen from one method, it still won't work. Maybe this could be a config option, and enabled only with the "high/extreme" security profiles by the Setup Wizard. |
|
|
This might not work for AJAX requests because they need a way to get a CSRF token. They do this through a secondary AJAX request getting a token, but this method will prevent being able to set an HttpOnly CSRF cookie for additional validation. |
|
|
Actually OWASP does not recommend transmitting the token as a cookie for the sync token CSRF method in stateful apps (which Composr is stateful). Closing. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-08-14 19:29 | Patrick Schmalstig | New Issue | |
| 2024-08-14 19:29 | Patrick Schmalstig | Status | non-assigned => assigned |
| 2024-08-14 19:29 | Patrick Schmalstig | Assigned To | => Patrick Schmalstig |
| 2024-08-14 19:29 | Patrick Schmalstig | Tag Attached: Roadmap: v11 | |
| 2024-08-14 19:29 | Patrick Schmalstig | Tag Attached: Type: Security | |
| 2024-08-14 19:29 | Patrick Schmalstig | Relationship added | related to 0005887 |
| 2024-08-14 19:31 | Patrick Schmalstig | Note Added: 0009193 | |
| 2024-08-14 19:32 | Patrick Schmalstig | Additional Information Updated | View Revisions |
| 2024-08-14 19:34 | Patrick Schmalstig | Note Edited: 0009193 | View Revisions |
| 2024-08-14 19:35 | Patrick Schmalstig | Note Edited: 0009193 | View Revisions |
| 2024-09-06 01:38 | Patrick Schmalstig | Note Added: 0009300 | |
| 2024-09-06 01:58 | Patrick Schmalstig | Status | assigned => closed |
| 2024-09-06 01:58 | Patrick Schmalstig | Resolution | open => won't fix |
| 2024-09-06 01:58 | Patrick Schmalstig | Note Added: 0009301 |
