per-page CSRF token support

Question

per-page CSRF token support

francisfernando opened this issue 7 years ago · comments

Currently we implement the CSURF in our project to add security feature.

Here how we implement it :

under routes

/** Implement CSRF Token */
var csrfProtection = csrf();

/** Home page */
app.get('/user', isAuthenticated, csrfProtection, home.show);

app.post('/new/user', isAuthAPI, csrfProtection, user.update);

Add the token in meta data

<meta name="csrf-token" content="{{_csrftoken}}">

Then override AJAX to add the token

/** SET CSRF */
var CSRF_HEADER = 'X-CSRF-Token';

var setCSRFToken = function (securityToken) {
  jQuery.ajaxPrefilter(function (options, _, xhr) {
    if (!xhr.crossDomain && options.type != 'get') {
      xhr.setRequestHeader(CSRF_HEADER, securityToken);
    }
  });
};

setCSRFToken($('meta[name="csrf-token"]').attr('content'));
/** END SET CSRF */

Then i try the a single token in all the page and it was working. It should be valid only in one page or one request ?

Douglas Wilson · Answer 1 · Wed May 10 2017 11:36:21 GMT+0800 (China Standard Time)

The token is validated against the visitor's session or csrf cookie.

francisfernando · Answer 2 · Wed May 10 2017 11:44:26 GMT+0800 (China Standard Time)

I didn't put any option on the csrf(); i guess it will be on the session. Because when i end the user's session it will be invalid.

Douglas Wilson · Answer 3 · Wed May 10 2017 11:55:38 GMT+0800 (China Standard Time)

Sorry, I guess it submitted my "first draft". Here is what I meant to post:

The token is validated against the visitor's session or csrf cookie. This means that the token is valid for the entire life time (in your case the life of the session). For most use-cases this is good enough, since the main protection is to guard against another origin with the same user's web browser making a cross-origin request (it won't know the token). The token is different for each req.csrfToken() to guard against BEAST when served over SSL.

If there is a desire to create per-page tokens, that shouldn't be too difficult to add in, so PRs welcome!

francisfernando · Answer 4 · Wed May 10 2017 13:42:52 GMT+0800 (China Standard Time)

Thanks for the information and explanation. For the meantime i will limit the token to the page that was required. I will try to check if i can add a create per-page token. I'm thinking if we can add option to path on the token and path from on the request params.

francisfernando · Answer 5 · Wed May 10 2017 13:44:56 GMT+0800 (China Standard Time)

By the way i'm just new on here what do you mean about this "PRs welcome!" . Sorry very noob question . Thanks

Douglas Wilson · Answer 6 · Thu May 11 2017 13:36:17 GMT+0800 (China Standard Time)

Hi @francisfernando sorry, PR = pull request https://help.github.com/articles/about-pull-requests/

francisfernando · Answer 7 · Thu May 11 2017 13:43:21 GMT+0800 (China Standard Time)

Thanks. Happy to help . I will review on how i can help. The issue per page you cannot determine where the call have been perform(which page). Do you have any idea how we can check this in express js or node?

Douglas Wilson · Answer 8 · Fri May 12 2017 10:26:55 GMT+0800 (China Standard Time)

@federomero not off-hand, which is why I was hoping for some help :)

Jon Peck · Answer 9 · Fri Jul 03 2020 05:11:55 GMT+0800 (China Standard Time)

I gave this a try - fluxsauce@7d0ef69 - and it worked within a very limited set of circumstances. If you are performing multiple POSTs on a page, such a tracking event followed by a form submission, something will fail. If you open up two browser windows, both with login forms, one of those login forms will be broken.

Kind of on the "not worth it" side of the fence right now :-(