Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

CSRF protection by storing nonce in Session variable and form

Tags:

security

csrf

To protect against CSRF you should put a nonce in a hidden field in the form, and in a cookie or in the session variable. But what if the user opens several pages in different tabs? In this case each tab would have a form with a unique nonce, but there would be only one nonce stored in the session variable or cookie. Or if you try to store all the nonces in the cookie/session variable, how would you identify which one belongs to which form?

like image 840
Marius Avatar asked Feb 12 '10 07:02

Marius

1 Answers

You can store the same nonce in each of the forms. The easiest way to do it is to tie the nonce to the session ID, so that those forms only work in that session.

You will want to make it hard for attackers to snarf session IDs and create their own nonces. So, one way to go about it is to use HMAC-SHA256 (or the like) to hash the session ID, using a key that you do not expose to the public.

(Obviously if the attacker can get the actual session ID itself, they can already do session hijacking. So that's not what I'm talking about, but rather the ability for an attacker to craft a script (that runs on the victim's computer) that can somehow grab the session ID and use that to dynamically generate a URL with the nonce pre-filled.)

ETA: Whether the above approach is enough on its own depends on how long you expect your typical sessions to last. If users usually use long-lasting sessions spanning longer than a few hours, you'll need to use something more sophisticated.

One approach is to create a new nonce for each form, that contains the timestamp, as well as hash(timestamp . sessionid) (where hash is some variant of HMAC as described above, to prevent forgery, and . is string concatenation). You then verify the nonce by:

  1. checking the timestamp to ensure that the nonce is fresh enough (this is up to your policy, but a few hours is typical)
  2. then, calculating the hash based on the timestamp and session ID, and comparing against the nonce, to verify that the nonce is authentic

If the nonce check fails, you'll want to display a new form, pre-populated with the user's submission (so that if they took a whole day to write their post, they won't lose all their hard work), as well as a fresh nonce. Then the user can resubmit straight away successfully.

like image 52
Chris Jester-Young Avatar answered Oct 24 '22 10:10

Chris Jester-Young
Sign in to Comment

Related questions

how to identify ios device uniquely
Avoiding NavigatorUserMediaError "Only secure origins are allowed" on HTTP in Chrome
Auto login security with PHP, how and why [closed]
Docker Host Security - Can container run dangerous code or change host from inside of a container?
LINQ to Entities and SQL Injection
Is window.opener reliable?
How to set up Mercurial with ssl/security
Tools to test softwares against any attacks for programmers? [closed]
What's the big deal with brute force on hashes like MD5
PHP's mail(): What are potential issues to watch out for?
Storing user and password in a database
Why do ASP.NET JSON web services return the result in 'd'?
Detecting people sharing login / account information for a website
SQL injections in ADOdb and general website security
Put SecureString into PasswordBox
AllowHtml attribute without referencing MVC
Why does my custom SecurityManager cause exceptions the 16th time I create an object with Constructor.newInstance?
Could not establish trust relationship for the SSL/TLS secure channel with subject alternative name certificate
How to protect against Log Injection attacks in PHP?
Validate iPhone device Ids?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!