Commit f20640d0 authored by Ad Schellevis's avatar Ad Schellevis

csrf, switch from token per request to token per session. solves issues when using multiple tabs.

parent 895e30d1
...@@ -177,7 +177,7 @@ class ControllerBase extends ControllerRoot ...@@ -177,7 +177,7 @@ class ControllerBase extends ControllerRoot
} }
// check for valid csrf on post requests // check for valid csrf on post requests
if ($this->request->isPost() && !$this->security->checkToken()) { if ($this->request->isPost() && !$this->security->checkToken(null, null, false)) {
// post without csrf, exit. // post without csrf, exit.
$this->response->setStatusCode(403, "Forbidden"); $this->response->setStatusCode(403, "Forbidden");
return false; return false;
...@@ -195,10 +195,9 @@ class ControllerBase extends ControllerRoot ...@@ -195,10 +195,9 @@ class ControllerBase extends ControllerRoot
} }
// include csrf for volt view rendering. // include csrf for volt view rendering.
$this->view->setVars([ $csrf_token = $this->session->get('$PHALCON/CSRF$');
'csrf_tokenKey' => $this->security->getTokenKey(), $csrf_tokenKey = $this->session->get('$PHALCON/CSRF/KEY$');
'csrf_token' => $this->security->getToken() $this->view->setVars(['csrf_tokenKey' => $csrf_tokenKey,'csrf_token' => $csrf_token]);
]);
// link menu system to view, append /ui in uri because of rewrite // link menu system to view, append /ui in uri because of rewrite
$menu = new Menu\MenuSystem(); $menu = new Menu\MenuSystem();
......
...@@ -28,8 +28,6 @@ ...@@ -28,8 +28,6 @@
class LegacyCSRF class LegacyCSRF
{ {
private $securityToken = null;
private $securityTokenKey = null;
private $di = null; private $di = null;
private $security = null; private $security = null;
private $session = null; private $session = null;
...@@ -58,16 +56,13 @@ class LegacyCSRF ...@@ -58,16 +56,13 @@ class LegacyCSRF
{ {
$result = false; // default, not valid $result = false; // default, not valid
$this->Session(); $this->Session();
// do not destroy token after successfull validation, some pages use ajax type requests $securityTokenKey = $_SESSION['$PHALCON/CSRF/KEY$'];
$this->securityTokenKey = $_SESSION['$PHALCON/CSRF/KEY$']; if (empty($_POST[$securityTokenKey])) {
$this->securityToken = !empty($_POST[$this->securityTokenKey]) ? $_POST[$this->securityTokenKey] : "";
if (empty($this->securityToken)) {
if (!empty($_SERVER['HTTP_X_CSRFTOKEN'])) { if (!empty($_SERVER['HTTP_X_CSRFTOKEN'])) {
$this->securityToken = $_SERVER['HTTP_X_CSRFTOKEN']; $result = $this->security->checkToken(null, $_SERVER['HTTP_X_CSRFTOKEN'], false);
$result = $this->security->checkToken(null, $this->securityToken, false);
} }
} else { } else {
$result = $this->security->checkToken($this->securityTokenKey, $this->securityToken, false); $result = $this->security->checkToken($securityTokenKey, $_POST[$securityTokenKey], false);
} }
// close session after validation // close session after validation
session_write_close(); session_write_close();
...@@ -77,12 +72,14 @@ class LegacyCSRF ...@@ -77,12 +72,14 @@ class LegacyCSRF
private function newToken() private function newToken()
{ {
$this->Session(); $this->Session();
// only request new token when checkToken() hasn't saved one // only request new token when session has none
if ($this->securityToken == null) { $securityTokenKey = $_SESSION['$PHALCON/CSRF/KEY$'];
$this->securityToken = $this->security->getToken(); $securityToken = $_SESSION['$PHALCON/CSRF$'];
$this->securityTokenKey = $this->security->getTokenKey(); if (empty($securityToken) || empty($securityTokenKey)) {
$securityToken = $this->security->getToken();
$securityTokenKey = $this->security->getTokenKey();
} }
return array('token'=>$this->securityToken, 'key' => $this->securityTokenKey); return array('token'=>$securityToken, 'key' => $securityTokenKey);
} }
public function csrfRewriteHandler($buffer) public function csrfRewriteHandler($buffer)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment