Comments (5)
There should be probably expiration in CSRF session section, like 10/30 minutes or something like that.
Regeneration after login/logout should be imho done in user-land though.
from forms.
Well, there used to be optional parameter with timeout value, but it was removed (not sure why).
from forms.
Timeout is not proper solution.
from forms.
@dg Readme should reflect this issue and mention implementation details along with reasoning behind it. Apparently users assume it is implemented as Synchronizer Token Pattern but difference is that unique token is generated for whole session not per request.
@foowie Could you publish the that part of security review for future referrence?
TL;DR
CSRF implementation in Nette is only lightweight. If you are concerned with security you must implement your own CSRF token policy using Nette\Security\User::onLogin/onLogout and probably after receiving form.
Forms generate token only once for whole session. That prevents attacks on server that could lead to full memory or disk. Other solutions have more caveats either being complicated (out of scope for nette(/forms)), hard to implement along with AJAX or can open doors for DoS.
If you are concerned by people accessing your app from internet cafe I would suggest using HTTPS everywhere and reminding your users to logout along with using two level verification for critical actions.
Internet cafe argument is no longer valid it is 2014 not 1995. Anything with USB port that is not a extension cord cannot be trusted. That includes even cars that use same bus for control and media etc.
from forms.
@mishak87 Short description of vulnerability sent in review
CSRF tokens do not appear to be revoked on logout. This means that a user who accesses their
account on an untrusted computer should consider their account permanently compromised; while
they can revoke their session token by logging out, they cannot prevent CSRF attacks from an
attacker who recovers a CSRF token from the untrusted computer.
from forms.
Related Issues (20)
- SubmitButton without caption throws depracated error on render on PHP 8.1
- UploadControl MaxLenght message %i HOT 1
- private const Array (request to change to public)
- Validation problem with rule MIME_TYPE
- Unable to add class to input programatically when rendered using n:name
- netteForms.js doesn't toggle properly when form is reset
- Cannot call method startTag() / endTag() on string
- addDate(), addTime(), addDateTime() - how to get nullable values?
- netteForms: min/max wrong validation of numbers HOT 1
- setValue() as well as setDefaultValue() don't set the value and the field shows error states instead HOT 2
- ChoiceControl::getRawValue(): Return value must be of type string|int, null returned HOT 1
- Validation of MimeType rule fails when FileControl->getContentType returns null HOT 1
- src/assets/netteForms.js broken in 3.2-dev HOT 1
- `Nette\Forms\Blueprint::dataClass($form)`: Undefined variable `$bp` HOT 1
- Number inputs format shouldn't be always validated HOT 7
- Number input with maxlength validation always fails HOT 2
- Compound condition does not toggle element
- Error in JS validation for rule Form::Image
- Implementation of setOmitted() to Nette\Forms\Rules
- errors cummulate when instances of Nette\HtmlStringable
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from forms.