Jump to content

What is the form input processing order in CSRF protection form ?

adrianmak

By adrianmak,
in General Support

 Share

Recommended Posts

adrianmak Hero Member

adrianmak

Posted
Posted

I'm going to put CSRF form protection on a form.

on what position on validating CSRF during form processing after submission ?

Here are pesudo code 

if form submitted
   validating input fields
   if any one of fields is invlaid, stop processing and display field error
   if input fields passed validation
        validate CSRF 
        if passed CSRF validation 
             submit form data or save to database
        if not passed CSRF vlaidation
             generate form error

anything wrong with this order ?

 

 

 

Link to comment
Share on other sites
rick Hero Member

rick

Posted
Posted

I use this format: 

If form submitted {
	if CSRF is valid {
		// process form data
	} else {
		session redirect 401
	}
}
// render form

The reason I use this order is,

First, I make sure the form was submitted. If it was not, then render the form.

Second, I validate CSRF. If it passes, then process form data. // No sense processing form data if invalid.

Lastly, if CSRF fails, I redirect to 401.


 

  • Like 1
Link to comment
Share on other sites
adrianmak Hero Member

adrianmak

Posted
  • Author
Posted
29 minutes ago, rick said:

I use this format: 


If form submitted {
	if CSRF is valid {
		// process form data
	} else {
		session redirect 401
	}
}
// render form

The reason I use this order is,

First, I make sure the form was submitted. If it was not, then render the form.

Second, I validate CSRF. If it passes, then process form data. // No sense processing form data if invalid.

Lastly, if CSRF fails, I redirect to 401.


 

How to generate a http 401 error to the client ?

Link to comment
Share on other sites
  • 3 years later...
huseyin Full Member

huseyin

Posted
Posted

I wanted to test the CSRF Validation.

Have PW 3.0.148 running on local XAMPP.
Installed the LoginRegister Module.
While Profile edit i changed the token and/or value of token on the form.

After submit no error no exception. The edited value was accepted.

On line 895 is coded : $session->CSRF->validate(); (Which should throw the exception, but did not)
If change this line from "$session->CSRF->validate();" to "echo $session->CSRF->validate();" than i get the exception as admin errorpage (See attached) .

Can someone test the same?

exception.jpg

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...