Check Token in Login Form
164 views
Skip to first unread message
Mark Dexter
Sep 8, 2014, 6:09:39 PM9/8/14
to Joomla! CMS Development
In the login() function of UsersControllerUser in the front end, we do a standard session check as follows:
JSession::checkToken('post') or jexit(JText::_('JInvalid_Token'));
Because of this, you can get the following scenario:
1.A user logs out and is redirected to the login screen.
2. The user sits at the login screen for a long period of time (longer than the session timeout).
3. The user tries to login (without refreshing the page) and gets an invalid token message.
As I think about it, I don't understand why we want to do a checkToken() in that screen. The user is not logged in and therefore doesn't have access to anything yet, so why do we care whether they have been redirected from a valid Joomla form?
Am I missing something here or should we think about removing this checkToken?
Thanks.
Mark Dexter
Bakual
Sep 9, 2014, 8:48:00 AM9/9/14
to joomla-...@googlegroups.com
It may allow easier brute force attacks if you allow the username/password from any form/request.
But there may well be other ways for that already. I don't know :)
But there may well be other ways for that already. I don't know :)
Nick Savov
Sep 9, 2014, 2:53:17 PM9/9/14
to joomla-...@googlegroups.com
Is http://docs.joomla.org/How_to_add_CSRF_anti-spoofing_to_forms
applicable in this scenario?
Kind regards,
Nick
> --
> You received this message because you are subscribed to the Google Groups
> "Joomla! CMS Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to joomla-dev-cm...@googlegroups.com. To post to this
> group, send an email to joomla-...@googlegroups.com. Visit this group
> at http://groups.google.com/group/joomla-dev-cms. For more options, visit
> https://groups.google.com/d/optout.
>
>
applicable in this scenario?
Kind regards,
Nick
> You received this message because you are subscribed to the Google Groups
> "Joomla! CMS Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to joomla-dev-cm...@googlegroups.com. To post to this
> group, send an email to joomla-...@googlegroups.com. Visit this group
> at http://groups.google.com/group/joomla-dev-cms. For more options, visit
> https://groups.google.com/d/optout.
>
>
George Wilson
Sep 10, 2014, 11:41:34 AM9/10/14
to joomla-...@googlegroups.com
Nick,
Marks talking about removing that exact thing :P
Kind Regards,
Kind Regards,
George
Mark Dexter
Sep 10, 2014, 11:48:40 AM9/10/14
to Joomla! CMS Development
This is what the article says:
Joomla! attempts to protect againt CSRF by inserting a random string called a token into each POST form and each GET query string that is able to modify something in the Joomla! system. (my emphasis)
My question is whether the login form fits this description. If you are trying to login, are you able to modify anything in the Joomla! system? I would answer no. So I don't understand the value of the token on that form.
Mark
To post to this group, send email to joomla-...@googlegroups.com.
Sergio Manzi
Sep 10, 2014, 11:53:50 AM9/10/14
to joomla-...@googlegroups.com
If I understand it correctly CSRF can be a problem once you are
logged in, so no issue if you are at the login page and you have
(yet) to log in...
Hannes Papenberg
Sep 10, 2014, 12:51:26 PM9/10/14
to joomla-...@googlegroups.com
Hi Mark,
I would agree with you, but I was told earlier, that it is a security
issue if you don't add that token. I think it was Anthony Ferrera that
said we had to keep this in.
I fiddled with that token some time ago in order to allow for a simple
URL login. Since I don't know the token beforehand, I thought about
removing it, but I was told that that wasn't a good idea, since it makes
brute force attacks against a user account trivial. Then again, the
token is only unique per session, so it is identical across all forms in
Joomla per session.
In any case, I'd like to hear more opinions on that one.
Hannes
Am 10.09.2014 um 17:48 schrieb Mark Dexter:
> This is what the article says:
>
> Joomla! attempts to protect againt CSRF by inserting a random string
> called a token into each POST form and each GET query string *that is
> able to modify something in the Joomla! system*. (my emphasis)
> <mailto:joomla-dev-cm...@googlegroups.com>.
> <mailto:joomla-...@googlegroups.com>.
I would agree with you, but I was told earlier, that it is a security
issue if you don't add that token. I think it was Anthony Ferrera that
said we had to keep this in.
I fiddled with that token some time ago in order to allow for a simple
URL login. Since I don't know the token beforehand, I thought about
removing it, but I was told that that wasn't a good idea, since it makes
brute force attacks against a user account trivial. Then again, the
token is only unique per session, so it is identical across all forms in
Joomla per session.
In any case, I'd like to hear more opinions on that one.
Hannes
Am 10.09.2014 um 17:48 schrieb Mark Dexter:
> This is what the article says:
>
> Joomla! attempts to protect againt CSRF by inserting a random string
> able to modify something in the Joomla! system*. (my emphasis)
>
> My question is whether the login form fits this description. If you
> are trying to login, are you able to modify anything in the Joomla!
> system? I would answer no. So I don't understand the value of the
> token on that form.
>
> Mark
>
>
>
> On Wed, Sep 10, 2014 at 8:41 AM, George Wilson
> <georgeja...@googlemail.com
> My question is whether the login form fits this description. If you
> are trying to login, are you able to modify anything in the Joomla!
> system? I would answer no. So I don't understand the value of the
> token on that form.
>
> Mark
>
>
>
> On Wed, Sep 10, 2014 at 8:41 AM, George Wilson
> <georgeja...@googlemail.com
> <mailto:joomla-...@googlegroups.com>.
> Visit this group at http://groups.google.com/group/joomla-dev-cms.
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Joomla! CMS Development" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to joomla-dev-cm...@googlegroups.com
> <mailto:joomla-dev-cm...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Joomla! CMS Development" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to joomla-dev-cm...@googlegroups.com
> To post to this group, send email to joomla-...@googlegroups.com
> <mailto:joomla-...@googlegroups.com>.
Ercan Özkaya
Sep 11, 2014, 4:54:18 AM9/11/14
to joomla-...@googlegroups.com
I think the CSRF check should stay for both login and logout, as with all unsafe requests. There are attack vectors that work by logging a user automatically into a site out of their knowledge.
There is a detailed explanation here: http://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks
And Wikipedia also mentions it: http://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests
Sergio Manzi
Sep 11, 2014, 8:16:19 AM9/11/14
to joomla-...@googlegroups.com
VERY interesting information Ercan!
--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.
To post to this group, send email to joomla-...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages