slimphp / Slim-Csrf

Slim Framework CSRF protection middleware

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Security Access - Token Generation

ericciaparicio opened this issue · comments

I don't understand about generation of security tokens. Example:

$app->get('/foo', function ($request, $response, $args) {
// CSRF token name and value
$nameKey = $this->csrf->getTokenNameKey();
$valueKey = $this->csrf->getTokenValueKey();
$name = $request->getAttribute($nameKey);
$value = $request->getAttribute($valueKey);
});

$app->post('/bar', function ($request, $response, $args) {
// CSRF protection successful if you reached
// this far.
});

If /foo is public, anyone can generate a token and use to valid the access to another method (/bar). Any help about it?

The point is that you can only post to /bar if you have the same session as when you went to /foo.

Sorry... I don't understand...

Example: I have this code:

$app->get('/foo',function ($request, $response, $args) {
$nameKey = $this->csrf->getTokenNameKey();
$valueKey = $this->csrf->getTokenValueKey();
$name = $request->getAttribute($nameKey);
$value = $request->getAttribute($valueKey);

$tokenArray = [
    $nameKey => $name,
    $valueKey => $value
]

return $response->write(json_encode($tokenArray));

})

If /foo is public, anyone can post to /foo and get a security token. This token can to be used to post /products for example:

$app->post('/products/', function (Request $request, Response $response) {
$sql = "SELECT ..........";
$sth = $this->db->query($sql);
$todos = $sth->fetchAll();
return $response->withJson($todos);
});