Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+6 votes
595 views
in Plugins by
edited by

To Q2A developers:

I am developing caching plugin for Q2A. I'm facing a big issue of this plugin. It is "code" for CSRF protection is cached. This is a fatal issue of the original plugin.

Example:

<input type="hidden" name="code" value="0-1437352020-1f25a7e49caa37d85df1a50d45949ea62b8aa596">

Do you know a good way to deal with this? It is OK even without a specific program. Please show tips and an process example of other products.

If this plugin is complete, most users of Q2A would use it. Please cooperate.

Thanks.

Q2A version: 1.7
by
I have little clue, but I found this interesting: https://www.fastly.com/blog/Caching-the-Uncacheable-CSRF-security/ Particularly the "Technique 3: Token Over XHR"
by
@Alvaro Thank you for your great hint. Plan to change the part of displayed cache with Ajax (XHR) is likely to be flexible.

3 Answers

+1 vote
by
edited by
How about calling this function, and dynamically replacing the code in the cached content?

function qa_get_form_security_code

Also, if $_POST is present, I would not use cache.  That would take care of posting answers.
by
Thanks steven.
by
No problem. This is a tough issue.  I was reading up, and even cookie tokens can be spoofed.  Suggest reading up on cookie /session CSRF measures before proceeding.  And thanks for keeping this plugin alive, although a hard one to do.
by
I have again studied functions below. Fortunately, we can override these functions. Hint for solution would be here.
File: qa-include/app/users.php
1. qa_set_form_security_key()
2. qa_calc_form_security_hash()
3. qa_get_form_security_code()
4. qa_check_form_security_code()
by
Yes, those are the main functions.  I don't think you need to over-ride, simply call qa_get_form_security_code() and update the static content with the new code (multiple places for questions/answers/comments).  That's it, I think?
+1 vote
by

After all, I was fixed with client-side Javascript and overriding qa_check_form_security_code() function that checks CSRF protection code in V0.3.

by
Congrats for this... now can we use this plugin on main websites??
by
No. Many problems still exist. In some cases, the official release might be next year. If there is a cooperation of many developers, there is a possibility that release is accelerated. However, it would be probably not.
by
Wow! I hadn't even thought that this plugin will take that much for its first official release. But its even good that you are developing it, so I am sure that final product will be awesome... :)
by
Thanks Gurjyot for your understanding. This plugin is so simple. However, since many processing of Q2A are bypassed, many problems occur. Development may not require so much time. However, because the impact on the core is very large, must be a lot of test is carried out.
0 votes
by
removing security is never a good idea.

You have many solutions for this caching problem.

One requires a pluging to override the active theme class and a good knowledge of QA software to distinguish the user specific datas from the general container and the real time questions datas.

Half of the work is ready but I have too many things to do this summer. Please wait for 2 ou 3 weeks and you will merge the 2 works. Or , if you are impatient, contact me in private to get my methods and some pieces of code
by
You may have been a little misunderstanding. Security code has not been removed.
...