Security Access - Token Generation
ericciaparicio opened this issue · comments
I don't understand about generation of security tokens. Example:
$app->get('/foo', function ($request, $response, $args) {
// CSRF token name and value
$nameKey = $this->csrf->getTokenNameKey();
$valueKey = $this->csrf->getTokenValueKey();
$name = $request->getAttribute($nameKey);
$value = $request->getAttribute($valueKey);
});
$app->post('/bar', function ($request, $response, $args) {
// CSRF protection successful if you reached
// this far.
});
If /foo is public, anyone can generate a token and use to valid the access to another method (/bar). Any help about it?
The point is that you can only post to /bar if you have the same session as when you went to /foo.
Sorry... I don't understand...
Example: I have this code:
$app->get('/foo',function ($request, $response, $args) {
$nameKey = $this->csrf->getTokenNameKey();
$valueKey = $this->csrf->getTokenValueKey();
$name = $request->getAttribute($nameKey);
$value = $request->getAttribute($valueKey);
$tokenArray = [
$nameKey => $name,
$valueKey => $value
]
return $response->write(json_encode($tokenArray));
})
If /foo is public, anyone can post to /foo and get a security token. This token can to be used to post /products for example:
$app->post('/products/', function (Request $request, Response $response) {
$sql = "SELECT ..........";
$sth = $this->db->query($sql);
$todos = $sth->fetchAll();
return $response->withJson($todos);
});
Hello Rob! Thanks for your comment!
I posted in GIT about it, but I dont know if you saw.
My doubt is: If /foo is public, anyone can post to /foo and get a security
token. This token can to be used to post /products for example:
$app->post('/products/', function (Request $request, Response $response) {
$sql = "SELECT ..........";
$sth = $this->db->query($sql);
$todos = $sth->fetchAll();
return $response->withJson($todos);
});
Regards
Emiliano
2017-11-10 17:51 GMT-03:00 Rob Allen <notifications@github.com>:
… The point is that you can only post to /bar if you have the same session
as when you went to /foo.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#80 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AcE5UaGt5BB-fWgK09LELyvRAyoTuDDdks5s1Lc6gaJpZM4QaASn>
.
Slim-Csrf mitigates against cross-site request forgeries. It stops a second browser posting to /products. It is not an authentication or an authorisation system.
You may find https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) helpful.
Regards,
Rob...
… On 14 Nov 2017, at 14:51, ericciaparicio ***@***.***> wrote:
Hello Rob! Thanks for your comment!
I posted in GIT about it, but I dont know if you saw.
My doubt is: If /foo is public, anyone can post to /foo and get a security
token. This token can to be used to post /products for example:
$app->post('/products/', function (Request $request, Response $response) {
$sql = "SELECT ..........";
$sth = $this->db->query($sql);
$todos = $sth->fetchAll();
return $response->withJson($todos);
});
Regards
Emiliano
2017-11-10 17:51 GMT-03:00 Rob Allen ***@***.***>:
> The point is that you can only post to /bar if you have the same session
> as when you went to /foo.
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#80 (comment)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AcE5UaGt5BB-fWgK09LELyvRAyoTuDDdks5s1Lc6gaJpZM4QaASn>
> .
>
Ah ok! Then, Slim only mitigate this problem. Maybe, I need a way to sure
the access to /foo, to avoid that anyone can generate a token. Is correct?
Regards
Emiliano
2017-11-14 11:55 GMT-03:00 Rob Allen <notifications@github.com>:
…
Slim-Csrf mitigates against cross-site request forgeries. It stops a
second browser posting to /products. It is not an authentication or an
authorisation system.
You may find https://www.owasp.org/index.php/Cross-Site_Request_
Forgery_(CSRF) helpful.
Regards,
Rob...
> On 14 Nov 2017, at 14:51, ericciaparicio ***@***.***>
wrote:
>
> Hello Rob! Thanks for your comment!
>
> I posted in GIT about it, but I dont know if you saw.
>
> My doubt is: If /foo is public, anyone can post to /foo and get a
security
> token. This token can to be used to post /products for example:
>
> $app->post('/products/', function (Request $request, Response $response)
{
> $sql = "SELECT ..........";
> $sth = $this->db->query($sql);
> $todos = $sth->fetchAll();
> return $response->withJson($todos);
> });
>
>
> Regards
>
> Emiliano
>
> 2017-11-10 17:51 GMT-03:00 Rob Allen ***@***.***>:
>
> > The point is that you can only post to /bar if you have the same
session
> > as when you went to /foo.
> >
> > —
> > You are receiving this because you authored the thread.
> > Reply to this email directly, view it on GitHub
> > <#80 (comment)
>,
> > or mute the thread
> > <https://github.com/notifications/unsubscribe-auth/AcE5UaGt5BB-
fWgK09LELyvRAyoTuDDdks5s1Lc6gaJpZM4QaASn>
> > .
> >
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#80 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AcE5URbiLayD7v0juJq3Xc8EvEkf0OSKks5s2anqgaJpZM4QaASn>
.
No.
If you are looking to add authorisation, then you need a different solution and do not use Slim-Csrf at all.
Regards,
Rob...
… On 14 Nov 2017, at 15:08, ericciaparicio ***@***.***> wrote:
Ah ok! Then, Slim only mitigate this problem. Maybe, I need a way to sure
the access to /foo, to avoid that anyone can generate a token. Is correct?
Regards
Emiliano
2017-11-14 11:55 GMT-03:00 Rob Allen ***@***.***>:
>
> Slim-Csrf mitigates against cross-site request forgeries. It stops a
> second browser posting to /products. It is not an authentication or an
> authorisation system.
>
> You may find https://www.owasp.org/index.php/Cross-Site_Request_
> Forgery_(CSRF) helpful.
>
> Regards,
>
> Rob...
>
>
> > On 14 Nov 2017, at 14:51, ericciaparicio ***@***.***>
> wrote:
> >
> > Hello Rob! Thanks for your comment!
> >
> > I posted in GIT about it, but I dont know if you saw.
> >
> > My doubt is: If /foo is public, anyone can post to /foo and get a
> security
> > token. This token can to be used to post /products for example:
> >
> > $app->post('/products/', function (Request $request, Response $response)
> {
> > $sql = "SELECT ..........";
> > $sth = $this->db->query($sql);
> > $todos = $sth->fetchAll();
> > return $response->withJson($todos);
> > });
> >
> >
> > Regards
> >
> > Emiliano
> >
> > 2017-11-10 17:51 GMT-03:00 Rob Allen ***@***.***>:
> >
> > > The point is that you can only post to /bar if you have the same
> session
> > > as when you went to /foo.
> > >
> > > —
> > > You are receiving this because you authored the thread.
> > > Reply to this email directly, view it on GitHub
> > > <#80 (comment)
> >,
> > > or mute the thread
> > > <https://github.com/notifications/unsubscribe-auth/AcE5UaGt5BB-
> fWgK09LELyvRAyoTuDDdks5s1Lc6gaJpZM4QaASn>
>
> > > .
> > >
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#80 (comment)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AcE5URbiLayD7v0juJq3Xc8EvEkf0OSKks5s2anqgaJpZM4QaASn>
> .
>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#80 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AACBb-l68eawO9dxcYsM5KnT16twi2vpks5s2az8gaJpZM4QaASn>.
--
Development thoughts at http://akrabat.com
Daily Jotter for macOS at http://dailyjotter.com
Ok. Some suggestion?
Regards
Emiliano
2017-11-14 12:13 GMT-03:00 Rob Allen <notifications@github.com>:
… No.
If you are looking to add authorisation, then you need a different
solution and do not use Slim-Csrf at all.
Regards,
Rob...
> On 14 Nov 2017, at 15:08, ericciaparicio ***@***.***>
wrote:
>
> Ah ok! Then, Slim only mitigate this problem. Maybe, I need a way to sure
> the access to /foo, to avoid that anyone can generate a token. Is
correct?
>
> Regards
> Emiliano
>
> 2017-11-14 11:55 GMT-03:00 Rob Allen ***@***.***>:
>
> >
> > Slim-Csrf mitigates against cross-site request forgeries. It stops a
> > second browser posting to /products. It is not an authentication or an
> > authorisation system.
> >
> > You may find https://www.owasp.org/index.php/Cross-Site_Request_
> > Forgery_(CSRF) helpful.
> >
> > Regards,
> >
> > Rob...
> >
> >
> > > On 14 Nov 2017, at 14:51, ericciaparicio ***@***.***>
> > wrote:
> > >
> > > Hello Rob! Thanks for your comment!
> > >
> > > I posted in GIT about it, but I dont know if you saw.
> > >
> > > My doubt is: If /foo is public, anyone can post to /foo and get a
> > security
> > > token. This token can to be used to post /products for example:
> > >
> > > $app->post('/products/', function (Request $request, Response
$response)
> > {
> > > $sql = "SELECT ..........";
> > > $sth = $this->db->query($sql);
> > > $todos = $sth->fetchAll();
> > > return $response->withJson($todos);
> > > });
> > >
> > >
> > > Regards
> > >
> > > Emiliano
> > >
> > > 2017-11-10 17:51 GMT-03:00 Rob Allen ***@***.***>:
> > >
> > > > The point is that you can only post to /bar if you have the same
> > session
> > > > as when you went to /foo.
> > > >
> > > > —
> > > > You are receiving this because you authored the thread.
> > > > Reply to this email directly, view it on GitHub
> > > > <#80#
issuecomment-343582396
> > >,
> > > > or mute the thread
> > > > <https://github.com/notifications/unsubscribe-auth/AcE5UaGt5BB-
> > fWgK09LELyvRAyoTuDDdks5s1Lc6gaJpZM4QaASn>
> >
> > > > .
> > > >
> >
> > —
> > You are receiving this because you authored the thread.
> > Reply to this email directly, view it on GitHub
> > <#80 (comment)
>,
> > or mute the thread
> > <https://github.com/notifications/unsubscribe-auth/
AcE5URbiLayD7v0juJq3Xc8EvEkf0OSKks5s2anqgaJpZM4QaASn>
> > .
> >
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub <
#80 (comment)>,
or mute the thread <https://github.com/notifications/unsubscribe-
auth/AACBb-l68eawO9dxcYsM5KnT16twi2vpks5s2az8gaJpZM4QaASn>.
>
--
Development thoughts at http://akrabat.com
Daily Jotter for macOS at http://dailyjotter.com
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#80 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AcE5UXocegl2fd_P0CUZqD3Of5cFKtfIks5s2a4CgaJpZM4QaASn>
.
I read a lot of post but I couldn't solve it. Any help?
Regards
Emiliano
2017-11-14 12:17 GMT-03:00 Emiliano Ricci Aparicio <ericciaparicio@gmail.com
…:
Ok. Some suggestion?
Regards
Emiliano
2017-11-14 12:13 GMT-03:00 Rob Allen ***@***.***>:
> No.
>
> If you are looking to add authorisation, then you need a different
> solution and do not use Slim-Csrf at all.
>
> Regards,
>
> Rob...
>
>
>
> > On 14 Nov 2017, at 15:08, ericciaparicio ***@***.***>
> wrote:
> >
> > Ah ok! Then, Slim only mitigate this problem. Maybe, I need a way to
> sure
> > the access to /foo, to avoid that anyone can generate a token. Is
> correct?
> >
> > Regards
> > Emiliano
> >
> > 2017-11-14 11:55 GMT-03:00 Rob Allen ***@***.***>:
> >
> > >
> > > Slim-Csrf mitigates against cross-site request forgeries. It stops a
> > > second browser posting to /products. It is not an authentication or an
> > > authorisation system.
> > >
> > > You may find https://www.owasp.org/index.php/Cross-Site_Request_
> > > Forgery_(CSRF) helpful.
> > >
> > > Regards,
> > >
> > > Rob...
> > >
> > >
> > > > On 14 Nov 2017, at 14:51, ericciaparicio ***@***.***>
> > > wrote:
> > > >
> > > > Hello Rob! Thanks for your comment!
> > > >
> > > > I posted in GIT about it, but I dont know if you saw.
> > > >
> > > > My doubt is: If /foo is public, anyone can post to /foo and get a
> > > security
> > > > token. This token can to be used to post /products for example:
> > > >
> > > > $app->post('/products/', function (Request $request, Response
> $response)
> > > {
> > > > $sql = "SELECT ..........";
> > > > $sth = $this->db->query($sql);
> > > > $todos = $sth->fetchAll();
> > > > return $response->withJson($todos);
> > > > });
> > > >
> > > >
> > > > Regards
> > > >
> > > > Emiliano
> > > >
> > > > 2017-11-10 17:51 GMT-03:00 Rob Allen ***@***.***>:
> > > >
> > > > > The point is that you can only post to /bar if you have the same
> > > session
> > > > > as when you went to /foo.
> > > > >
> > > > > —
> > > > > You are receiving this because you authored the thread.
> > > > > Reply to this email directly, view it on GitHub
> > > > > <#80 (comment)
> -343582396
> > > >,
> > > > > or mute the thread
> > > > > <https://github.com/notifications/unsubscribe-auth/AcE5UaGt5BB-
> > > fWgK09LELyvRAyoTuDDdks5s1Lc6gaJpZM4QaASn>
> > >
> > > > > .
> > > > >
> > >
> > > —
> > > You are receiving this because you authored the thread.
> > > Reply to this email directly, view it on GitHub
> > > <#80 (comment)
> -344283942>,
> > > or mute the thread
> > > <https://github.com/notifications/unsubscribe-auth/AcE5URbiL
> ayD7v0juJq3Xc8EvEkf0OSKks5s2anqgaJpZM4QaASn>
> > > .
> > >
> > —
> > You are receiving this because you commented.
> > Reply to this email directly, view it on GitHub <
> #80 (comment)>,
> or mute the thread <https://github.com/notificati
> ons/unsubscribe-auth/AACBb-l68eawO9dxcYsM5KnT16twi2vpks5s2az8gaJpZM4QaASn
> >.
> >
>
> --
> Development thoughts at http://akrabat.com
> Daily Jotter for macOS at http://dailyjotter.com
>
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#80 (comment)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AcE5UXocegl2fd_P0CUZqD3Of5cFKtfIks5s2a4CgaJpZM4QaASn>
> .
>