Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Do login forms need tokens against CSRF attacks?

Tags:

php

token

csrf

People also ask

What is required for a CSRF attack to take place?

The success of a CSRF attack depends on a user's session with a vulnerable application. The attack will only be successful if the user is in an active session with the vulnerable application. An attacker must find a valid URL to maliciously craft. The URL needs to have a state-changing effect on the target application.

How does token prevent CSRF?

CSRF tokens can prevent CSRF attacks by making it impossible for an attacker to construct a fully valid HTTP request suitable for feeding to a victim user.

Yes. In general, you need to secure your login forms from CSRF attacks just as any other.

Otherwise your site is vulnerable to a sort of "trusted domain phishing" attack. In short, a CSRF-vulnerable login page enables an attacker to share a user account with the victim.

The vulnerability plays out like this:

  1. The attacker creates a host account on the trusted domain
  2. The attacker forges a login request in the victim's browser with this host account's credentials
  3. The attacker tricks the victim into using the trusted site, where they may not notice they are logged in via the host account
  4. The attacker now has access to any data or metadata the victim "created" (intentionally or unintentionally) while their browser was logged in with the host account

As a pertinent example, consider YouTube. YouTube allowed users to see a record of "their own" viewing history, and their login form was CSRF-vulnerable! So as a result, an attacker could set up an account with a password they knew, log the victim into YouTube using that account — stalking what videos the victim was watching.

There's some discussion in this comment thread that implies it could "only" be used for privacy violations like that. Perhaps, but to quote the section in Wikipedia's CSRF article:

Login CSRF makes various novel attacks possible; for instance, an attacker can later log in to the site with his legitimate credentials and view private information like activity history that has been saved in the account.

Emphasis on "novel attacks". Imagine the impact of a phishing attack against your users, and then imagine said phishing attack working via the user's own trusted bookmark to your site! The paper linked in the aforementioned comment thread gives several examples that go beyond simple privacy attacks.


Your understanding is correct -- the whole point of CSRF is that the attacker can forge a legitimate-looking request from beforehand. But this cannot be done with a login form unless the attacker knows the victim's username and password, in which case there are more efficient ways to attack (log in yourself).

Ultimately the only thing that an attacker can do is inconvenience your users by spamming failed logins, when the security system might lock out the user for a period of time.


OWASP has a dedicated section in their CSRF documentation adressing login-CSRF and why/hows to prevent it.

Key points:

How login-CSRF is dangerous:

if an attacker uses CSRF to authenticate a victim on a shopping website using the attacker's account, and the victim then enters their credit card information, an attacker may be able to purchase items using the victim's stored card details

How to address it:

Login CSRF can be mitigated by creating pre-sessions (sessions before a user is authenticated) and including tokens in login form.

And finally:

Remember that pre-sessions cannot be transitioned to real sessions once the user is authenticated - the session should be destroyed and a new one should be made

Note that this mitigation approach also prevents session fixation vulnerability since regenerating session after login is part of this approach.

Related questions

Which is a better way to check if an array has more than one element?
How do you connect to multiple MySQL databases on a single webpage?
How can I trim all strings in an Array? [duplicate]
Weird PHP error: 'Can't use function return value in write context'
jQuery AJAX file upload PHP
Nullable return types in PHP7
PDO get the last ID inserted
How to display string that contains HTML in twig template?
Laravel migration: unique key is too long, even if specified
PHP $_SERVER['HTTP_HOST'] vs. $_SERVER['SERVER_NAME'], am I understanding the man pages correctly?
Among $_REQUEST, $_GET and $_POST which one is the fastest?
PHP method chaining or fluent interface?
Refresh a page using PHP
Difference between break and continue in PHP?
How do I create a copy of an object in PHP?
How to get the first item from an associative PHP array?
Strtotime() doesn't work with dd/mm/YYYY format
How to output in CLI during execution of PHP Unit tests?
Best Practices: working with long, multiline strings in PHP?
Unicode character in PHP string

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!