#5890 - Consider additionally validating CSRF via cookie
-
By PDStig
- Added
- 3 views
| Identifier | #5890 |
|---|---|
| Issue type | Feature request or suggestion |
| Title | Consider additionally validating CSRF via cookie |
| Status | Closed (rejected) |
| Tags |
Roadmap: v11 (custom) Type: Security (custom) |
| Handling member | Deleted |
| Addon | core |
| Description | As an added layer of security, consider also setting the CSRF token as an HttpOnly / Secure cookie, and upon server-side validation, validate both the POST parameters and the cookies to ensure the CSRF token has been passed in by both methods and is correct.
Make sure this will work for AJAX requests especially. And check to see if there are any downsides to this approach, such as compatibility (e.g. what if cookies are rejected?). |
| Steps to reproduce | |
| Additional information | Implementing this will make forging the token exceptionally harder by attackers. |
| Related to | #5887 - Session cookies should always be HttpOnly / Secure where applicable |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
If we REALLY wanted to go hardcore, we could also make it so the cookie is a different token from what is put on the forms. Both are stored with the user session. And both need to be validated accordingly and matched correctly server-side to pass. That way, if the token is stolen from one method, it still won't work. Maybe this could be a config option, and enabled only with the "high/extreme" security profiles by the Setup Wizard.
Closing.