CSRF token implementation
127 views
Skip to first unread message
Thierry Florac
Dec 11, 2017, 9:17:50 AM12/11/17
to pylons-...@googlegroups.com
Hi,
I'm using Pyramid 1.84 and trying to implement a CSRF token cookie verification for any POST or AJAX request.
My code is as follow:
CSRF_TOKEN_COOKIE_NAME = 'csrf_token'
@subscriber(INewRequest)
def handle_new_request(event):
"""Handle any request with CSRF token cookie"""
request = event.request
if (request.method == 'POST') or request.is_xhr:
check_csrf_origin(request)
post_token = request.cookies.get(CSRF_TOKEN_COOKIE_NAME)
session_token = request.session.get_csrf_token()
if (not post_token) or strings_differ(post_token, session_token):
raise BadCSRFToken('Invalid CSRF token')
@subscriber(INewResponse)
def handle_new_response(event):
"""Handle new response to manage CSRF token cookie"""
request = event.request
if not request.path.startswith('/--static--/'):
token = request.session.get_csrf_token()
event.response.set_cookie(CSRF_TOKEN_COOKIE_NAME, token,
secure=request.scheme == 'https',
httponly=True)
Everything seems to be OK, except on one point : on first submit (which generally comes from the login page), the CSRF token is refused! On second submit and afterwards, everything is OK!
Any idea about how to avoid this?
Best regards,
Thierry
Jonathan Vanasco
Dec 12, 2017, 12:32:26 PM12/12/17
to pylons-discuss
There's not enough here for me to guess why, but I wanted to note in Pyramid 1.9.x you can store the CSRF in a cookie (instead of in the session). It may be worth upgrading to use the new storage policy (and compare two cookies) before fixing this.
Michael Merickel
Dec 12, 2017, 1:30:02 PM12/12/17
to pylons-...@googlegroups.com
Comparing two cookies defeats the entire purpose of csrf protection. Csrf is meant to make it difficult for someone who does not have access to your session to forge requests on behalf of that session. Since cookies are almost always sent along with cross origin requests it means you cannot use them. The user agent must create a payload in the body or a non-cookie header containing the token proving that the creator of this request actually has access to the session information. Session in this paragraph means a client of a domain.
On Tue, Dec 12, 2017 at 11:32 Jonathan Vanasco <jona...@findmeon.com> wrote:
There's not enough here for me to guess why, but I wanted to note in Pyramid 1.9.x you can store the CSRF in a cookie (instead of in the session). It may be worth upgrading to use the new storage policy (and compare two cookies) before fixing this.
--
You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
To post to this group, send email to pylons-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/a0ed35da-c332-4108-a277-de668bd54e46%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jonathan Vanasco
Dec 12, 2017, 2:15:46 PM12/12/17
to pylons-discuss
you're absolutely correct. i used a very bad choice of words and should have been specific because I was thinking of something weird. i meant to refer to using the new storage policy to implement the "encrypted token pattern", which basically bootstraps a micro session into a first dedicated csrf cookie, then programmatically constructing a request with a second cookie set by the client.
Bert JW Regeer
Dec 12, 2017, 5:44:08 PM12/12/17
to pylons-...@googlegroups.com
I’m trying to follow what you are saying… and none of it is making any sense.
On Dec 12, 2017, at 12:15, Jonathan Vanasco <jona...@findmeon.com> wrote:
you're absolutely correct. i used a very bad choice of words and should have been specific because I was thinking of something weird. i meant to refer to using the new storage policy to implement the "encrypted token pattern", which basically bootstraps a micro session into a first dedicated csrf cookie, then programmatically constructing a request with a second cookie set by the client.
--
You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
To post to this group, send email to pylons-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/49f94c31-af2a-43ba-8305-cf75f3092b36%40googlegroups.com.
Thierry Florac
Dec 14, 2017, 6:13:22 AM12/14/17
to pylons-...@googlegroups.com
OK, I switched to Pyramid 1.9.1 (using CookieCSRFStoragePolicy, and settings default CSRF options with require_csrf=True) and everything seems to be OK!
Just added javascript code to always add my token (received as cookie) as "X-CSRF-Token" header to every POST request...
Best regards,
Thierry
2017-12-12 23:43 GMT+01:00 Bert JW Regeer <xist...@0x58.com>:
I’m trying to follow what you are saying… and none of it is making any sense.
On Dec 12, 2017, at 12:15, Jonathan Vanasco <jona...@findmeon.com> wrote:
you're absolutely correct. i used a very bad choice of words and should have been specific because I was thinking of something weird. i meant to refer to using the new storage policy to implement the "encrypted token pattern", which basically bootstraps a micro session into a first dedicated csrf cookie, then programmatically constructing a request with a second cookie set by the client.--
You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to pylons-discuss@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/49f94c31-af2a-43ba-8305-cf75f3092b36%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/844BFC4E-C910-4070-9AA7-F1758986CC88%400x58.com.To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to pylons-discuss@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages