Forms protected against CSRF by default
Notice: This thread is very old.
- David Grudl
- Nette Core | 8205
What do you think about the following (implementation-easy) way?
Nette will automatically send token in cookie named __csrfs
with
expiration 0
(end of session) and
all POST forms will always send a hidden field __csrf
with the same
token (masked against breach attack). On very low level (RequestFactory?) tokens
will be checked, whether they exist and are the same, and if not, error
403 will be thrown.
Advantages:
- provides automatic protection for all forms, without the need to call addProtection()
- does not depend on session
- current error message (Please submit this form again) is actually antipattern :-(
- tokens in a cookie (unlike in HTML) do not requires to change templates and are resistant to breach attack
Cons:
- manually rendered forms without Latte will not work (note that
</form n:name>
and{/form}
in Latte automatically renders all HiddenFields, so I am talking about very special kind of rendering.) - disclosure of cookie token via XSS is a little bit easier, because is available on all pages. (It can be protected via HttpOnly but still exists problem with session hijacking, see below.)