View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
5890Composrcorepublic2024-08-14 19:292024-09-06 01:58
ReporterPDStig Assigned ToPDStig  
PrioritynormalSeverityfeature 
Status closedResolutionwon't fix 
Summary5890: Consider additionally validating CSRF via cookie
DescriptionAs an added layer of security, consider also setting the CSRF token as an HttpOnly / Secure cookie, and upon server-side validation, validate both the POST parameters and the cookies to ensure the CSRF token has been passed in by both methods and is correct.

Make sure this will work for AJAX requests especially. And check to see if there are any downsides to this approach, such as compatibility (e.g. what if cookies are rejected?).
Additional InformationImplementing this will make forging the token exceptionally harder by attackers.
TagsRoadmap: v11, Type: Security
Attach Tags
Time estimation (hours)
Sponsorship open

Sponsor

Date Added Member Amount Sponsored

Relationships

Search Commits
related to 5887 ResolvedPDStig Session cookies should always be HttpOnly / Secure where applicable 

Activities

PDStig

2024-08-14 19:31

administrator   ~9193

Last edited: 2024-08-14 19:35

 Will need to make special considerations for http_requests.

If we REALLY wanted to go hardcore, we could also make it so the cookie is a different token from what is put on the forms. Both are stored with the user session. And both need to be validated accordingly and matched correctly server-side to pass. That way, if the token is stolen from one method, it still won't work. Maybe this could be a config option, and enabled only with the "high/extreme" security profiles by the Setup Wizard.

PDStig

2024-09-06 01:38

administrator   ~9300

This might not work for AJAX requests because they need a way to get a CSRF token. They do this through a secondary AJAX request getting a token, but this method will prevent being able to set an HttpOnly CSRF cookie for additional validation.

PDStig

2024-09-06 01:58

administrator   ~9301

Actually OWASP does not recommend transmitting the token as a cookie for the sync token CSRF method in stateful apps (which Composr is stateful).

Closing.

Issue History

Date Modified Username Field Change
2024-08-14 19:29 PDStig New Issue
2024-08-14 19:29 PDStig Status Not Assigned => Assigned
2024-08-14 19:29 PDStig Assigned To => user4172
2024-08-14 19:29 PDStig Tag Attached: Roadmap: v11
2024-08-14 19:29 PDStig Tag Attached: Type: Security
2024-08-14 19:29 PDStig Relationship added related to 5887
2024-08-14 19:31 PDStig Note Added: 0009193
2024-08-14 19:32 PDStig Additional Information Updated
2024-08-14 19:34 PDStig Note Edited: 0009193
2024-08-14 19:35 PDStig Note Edited: 0009193
2024-09-06 01:38 PDStig Note Added: 0009300
2024-09-06 01:58 PDStig Status Assigned => Closed
2024-09-06 01:58 PDStig Resolution open => won't fix
2024-09-06 01:58 PDStig Note Added: 0009301