Jump to content

CSRF protection by default ?


Doc
 Share

Recommended Posts

Hi,

I'd like to add some CSRF protection on my sign -up form.

I've successfully applied that method : https://processwire.com/talk/topic/3779-use-csrf-in-your-own-forms/

(generate the tokens and once the form is posted, check the tokens with $session->CSRF->validate();   )

I've read stuff about $config->protectCSRF; but I don't understand :

- it's ON by default but what does it mean ? Are my forms protected by default or do I have to add the above stuff ?

- (bonus question) how do you hack your own form to simulate an "attack" ? I've tried chrome debug console but did not succeed to edit the token I've generated in the sign-up form

Thanks !

Link to comment
Share on other sites

24 minutes ago, Doc said:

it's ON by default but what does it mean ? Are my forms protected by default or do I have to add the above stuff ?

I think it refers to the the fact that it's set to true in wire/config.php

/**
 * Protect CSRF?
 *
 * Enables CSRF (cross site request forgery) protection on all PW forms, recommended for improved security.
 *
 * @var bool
 *
 */
$config->protectCSRF = true;

 

Link to comment
Share on other sites

Hi @fbg13,

Yes I get that, it's set to true in my config.php

Actually it doesn't appear in my config.php, which means it's ON by default, I can turn it to false by specifying it in the config.php.

What I'd like to know is what does it mean functionaly speaking : do I have to implement the line of codes I spoke about earlier or does PW protect me against CSRF attacks by default (I'm not sure about that).

 

Link to comment
Share on other sites

More info here:

http://processwire.com/api/ref/session/csrf/

In addition, excerpt from /wire/config.php. Emphasis here is on PW forms (on by default)

/**
 * Protect CSRF?
 *
 * Enables CSRF (cross site request forgery) protection on all PW forms, recommended for improved security.
 *
 * @var bool
 *
 */
$config->protectCSRF = true;

 

  • Like 1
Link to comment
Share on other sites

Ok I get it now, thanks to both of you.

I don't use PW forms and I understand now that the tutorial I've pasted here was a way to implement CSRF protection without PW forms, I've missed that.

The session linked helped too !

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...