Jump to content

CSRF protection by default ?

Doc

By Doc,
in General Support

 Share

Recommended Posts

Doc Sr. Member

Doc

Posted
Posted

Hi,

I'd like to add some CSRF protection on my sign -up form.

I've successfully applied that method : https://processwire.com/talk/topic/3779-use-csrf-in-your-own-forms/

(generate the tokens and once the form is posted, check the tokens with $session->CSRF->validate();   )

I've read stuff about $config->protectCSRF; but I don't understand :

- it's ON by default but what does it mean ? Are my forms protected by default or do I have to add the above stuff ?

- (bonus question) how do you hack your own form to simulate an "attack" ? I've tried chrome debug console but did not succeed to edit the token I've generated in the sign-up form

Thanks !

Link to comment
Share on other sites
fbg13 Sr. Member

fbg13

Posted
Posted
24 minutes ago, Doc said:

it's ON by default but what does it mean ? Are my forms protected by default or do I have to add the above stuff ?

I think it refers to the the fact that it's set to true in wire/config.php 

/**
 * Protect CSRF?
 *
 * Enables CSRF (cross site request forgery) protection on all PW forms, recommended for improved security.
 *
 * @var bool
 *
 */
$config->protectCSRF = true;

 

Link to comment
Share on other sites
Doc Sr. Member

Doc

Posted
  • Author
Posted

Hi @fbg13,

Yes I get that, it's set to true in my config.php

Actually it doesn't appear in my config.php, which means it's ON by default, I can turn it to false by specifying it in the config.php.

What I'd like to know is what does it mean functionaly speaking : do I have to implement the line of codes I spoke about earlier or does PW protect me against CSRF attacks by default (I'm not sure about that).

 

Link to comment
Share on other sites
kongondo Hero Member

kongondo

Posted
Posted

More info here:

http://processwire.com/api/ref/session/csrf/

In addition, excerpt from /wire/config.php. Emphasis here is on PW forms (on by default) 

/**
 * Protect CSRF?
 *
 * Enables CSRF (cross site request forgery) protection on all PW forms, recommended for improved security.
 *
 * @var bool
 *
 */
$config->protectCSRF = true;

 

  • Like 1
Link to comment
Share on other sites
Doc Sr. Member

Doc

Posted
  • Author
Posted

Ok I get it now, thanks to both of you.

I don't use PW forms and I understand now that the tutorial I've pasted here was a way to implement CSRF protection without PW forms, I've missed that.

The session linked helped too !

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...