Checking $_COOKIE for CSRF token?

Any reason why Yii 1.1 does not check for CSRF in the cookie variable?

Class CHttpRequest, line 1352 forward.

Implementation could for example be:

if (empty($maskedUserToken)) {
    $maskedUserToken = $_COOKIE[$this->csrfTokenName];

Because the protection itself assumes that the token is submitted both in the cookies and in one of the POST, PUT, PATCH, DELETE request. That’s the whole idea.

OK, that makes sense, thank you. :slight_smile:

Any comments about putting CSRF in the header, like suggested here: Cross-Site Request Forgery Prevention - OWASP Cheat Sheet Series

    var csrf_token = $('meta[name="csrf-token"]').attr('content');

    function csrfSafeMethod(method) {
        // these HTTP methods do not require CSRF protection
        return (/^(GET|HEAD|OPTIONS)$/.test(method));

        beforeSend: function(xhr, settings) {
            if (!csrfSafeMethod(settings.type) && !this.crossDomain) {
                xhr.setRequestHeader("anti-csrf-token", csrf_token);

It’s alright. It doesn’t rally matter how you pass request token value, be it POST body or a header. What matters is that attacker has no direct access to a second token that we compare with.

Yii 1.1 does not seem to read the header in validateCsrfToken(), however. Would you accept a patch?

Maybe. @marcovtwout is the one who currently decides about what goes into 1.1.

@ollehar If it can be added in a backward-compatible manner a PR is welcome :slight_smile:

Sure, it would just be another line before checking the request object. Will post a PR later. Thanks!

Pull request: Check CSRF token in header too by olleharstedt · Pull Request #4388 · yiisoft/yii · GitHub

If passed, it would make sense to port this to Yii 2 and 3 too.

1 Like