Extended Csrf Tokens

someguy · April 11, 2013, 3:06am

So currently I’ve subclassed CHttpRequest so I can override getCsrfToken with the following, I think it would be a good addition to the core Yii framework


public function getCsrfToken($extra = NULL)

{

	$csrf = parent::getCsrfToken();

	

	if($extra)

		$csrf = sha1($csrf.$extra);

	

	return $csrf;

}

The purpose of the code is a CSRF token can be combined with a piece of information to get a unique token for that user for a specific action.

If somebody got a hold of a regular token they could potentially make a user perform all actions with that token. If the extended CSRF token is compromised then it’s not as big a deal because it’s only unique to a specific action.

For example, if a user was to delete item 185, the CSRF would be $request->getCsrfToken(185), and then the same when validated, meaning it only has a single use of deleting item 185 and would not work on any other items, forms, etc etc

twisted1919 · April 29, 2013, 6:14pm

but it will work for user with id 185 / post with id 185 / comment with id 185.

So it doesn’t really makes any sense for me. If you want to extend this in the proper way i thing the entire uri should be hashed, not just a part of it mainly not the id which can be used for other resource.

Anyway, bottom line is that you don’t want a csrf token, you will want a nonce in this case.