Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+3 votes
381 views
in Plugins by

To PHP developers:

I am developing caching plugin for Q2A. I have one big problem about CSRF protection. I changed protection code on all forms on all pages from one time token to same session-ID (PHPSESSID) with Javascript.

My questions:

  1. Do you think this measure is effective against CSRF attack?
  2. Do you know any other effective way?

Thank you for your cooperation.

Q2A version: 1.7
by
edited by
@sama55, before we get deeper, why use javascript to set those tokens.  qa provides token settings function, why not call them and do a regex replace server side? js is available to a browser, that would already be a security risk?  From my read, exposing session_id is discouraged in general.  One could hash the session_id with form name, but that is still not optimal. The best security is a 'nonce' (hash that occurs only once) using timestamp, saving it to form and session and checking it if form submitted.  I believe that is what qa is doing with the provided functions already.  I believe if the static page replicates what qa is doing already (using the token functions) everything will go smoothly and decoding when form submitted need not be changed at all.
by
Thanks steven.

> why use javascript to set those tokens.  qa provides token settings function, why not call them and do a regex replace server side?

Funny. I seem to have been confused. It's as you say. I mimic javascript for CSRF on the net. Since the structure of Q2A is good, I did not need to do that.

> From my read, exposing session_id is discouraged in general.  One could hash the session_id with form name, but that is still not optimal. The best security is a 'nonce' (hash that occurs only once) using timestamp, saving it to form and session and checking it if form submitted.  I believe that is what qa is doing with the provided functions already.

Yes. I agree. However, since one time token in the form is also cached, I thought we can not use it. This change has begun from Yerbol's report below.
http://www.question2answer.org/qa/46578/updated-qa-caching-plugin-v0-3?show=46595#a46595
But, in my environment, this issue do not occur. I investigated CSRF protection logic  again. As result, I thought changes about CSRF protection logic in caching plugin is not needed basically. However, we might be necessary to correct cached time stamp.

How do you think about it?
by
@sama55, I believe on every page load, those token functions need to be called to update the tokens.  It is fairly simple.  I will pull your code from github and work on it.. hopefully tomorrow.

I think the idea is very good.  Like it!  Need to remember to increment page views as well.  I saw a reference to it in another post here about this plugin.
by
> I believe on every page load, those token functions need to be called to update the tokens.  It is fairly simple.  I will pull your code from github and work on it.. hopefully tomorrow.

Sounds good. I have removed all changes related to CSRF from plugin source. If changes about CSRF is needed, I want to look forward to your proposal.

> Need to remember to increment page views as well.  I saw a reference to it in another post here about this plugin.

Yeah, that issue is already submitted from Yerbol. I am investigating programs related to that.
https://github.com/sama55/q2a-caching/issues/12
by
Ok, great.  I have already pulled the code. Will work on it.  One point is to use the canonical url, otherwise the number of pages to cache becomes very large.
by
edited by
> One point is to use the canonical url, otherwise the number of pages to cache becomes very large.

Yes. I also worry about it. For example, maximum files in one directory are 31,998 in case of CentOS (ext3 file system). In case of large site, it will exceed this limit. We need to determine the number of cache files that are stored in a single folder. And, cache files need to be stored in a distributed in multiple folders.

By the way, uploaded images are stored in blob table. This is some pros and cons. However, it is one way to not mind file system limitations.
by
I like the idea of caching using mysql.  A lot easier to manage and avoids such limitation.

function unlinkRecursive:  This function will KILL the machine. Needs to simply use wildcard delete using unlink.

I managed to login with no problem.  How are tokens handled, seems to be working fine.
by
Hi @sama55, did you see my comments above. Please reply. I cannot pm you, it is closed.
by
Sorry, steven. In the past, because I had many many direct questions from other users, I am rejecting PM and Wall. Let's conversation in github. Also other my Q2A friends are doing so. And, because I want to manage the individual problem for each thread, please submit your issues to my github.
https://github.com/sama55/q2a-caching/issues
Thanks.
by
Now, I am consulting about this issue with Gideon. Security level would be reduced a little, but likely can achieve better code.

1 Answer

0 votes
by
@sama55, are you talking about security tokens.  Maybe it is not a big deal after all, since only applies to unregistered, and those posts would be moderated in any case.
...