Any reason why Yii 1.1 does not check for CSRF in the cookie variable?
Class CHttpRequest, line 1352 forward.
Implementation could for example be:
if (empty($maskedUserToken)) {
$maskedUserToken = $_COOKIE[$this->csrfTokenName];
}
Any reason why Yii 1.1 does not check for CSRF in the cookie variable?
Class CHttpRequest, line 1352 forward.
Implementation could for example be:
if (empty($maskedUserToken)) {
$maskedUserToken = $_COOKIE[$this->csrfTokenName];
}
Because the protection itself assumes that the token is submitted both in the cookies and in one of the POST, PUT, PATCH, DELETE request. That’s the whole idea.
OK, that makes sense, thank you. 
Any comments about putting CSRF in the header, like suggested here: Cross-Site Request Forgery Prevention - OWASP Cheat Sheet Series
var csrf_token = $('meta[name="csrf-token"]').attr('content');
function csrfSafeMethod(method) {
// these HTTP methods do not require CSRF protection
return (/^(GET|HEAD|OPTIONS)$/.test(method));
}
$.ajaxSetup({
beforeSend: function(xhr, settings) {
if (!csrfSafeMethod(settings.type) && !this.crossDomain) {
xhr.setRequestHeader("anti-csrf-token", csrf_token);
}
}
});
It’s alright. It doesn’t rally matter how you pass request token value, be it POST body or a header. What matters is that attacker has no direct access to a second token that we compare with.
Yii 1.1 does not seem to read the header in validateCsrfToken(), however. Would you accept a patch?
Sure, it would just be another line before checking the request object. Will post a PR later. Thanks!
Pull request: Check CSRF token in header too by olleharstedt · Pull Request #4388 · yiisoft/yii · GitHub
If passed, it would make sense to port this to Yii 2 and 3 too.