Is it safe to turn off csrf in laravel?

Question

I keep track of my error log file and keep seeing TokenMismatchException exception from the app login page.

At first I thought someone was trying to hack my site by using a robot to submit to the login form.

Then I see too many of them from many IPs.

After a few week I think I figured it out. I implemented the login as a modal form. Some user have their tab open for a long time and finally decide to login. When they do the crsf token is expired.

My question is that is it safe to turn crsf check?

http://stackoverflow.com/questions/12597176/how-to-keep-session-alive-without-reloading-page — Tschallacka, Sep 28 '15 at 08:44
Those exceptions means the csrf is working. Why would you want to turn it off? — Jeemusu, Sep 28 '15 at 08:48
No, it's not safe(r). If you disable a safety feature obviously you application will be less safe — Javi Stolz, Sep 28 '15 at 08:49

score 1 · Answer 1 · answered Sep 28 '15 at 09:56

NO

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

We don't know if our website become target of attacker, let's assume you have website about e-currency, and of course your user can transfer fund to other user.

HERE IS THE EXPLOITATION

John is Victim, and Ron is Attacker.

Let's make it simple Ron send some email to John regarding your e-currency site, and Ron tell John to click some link (malicious website) which already designed to send funds from John account to Ron.

In this case John currently authenticated, John click the link, and Bamm.. John lost the money.

So, that's not safe to turn of CSRF protection, UNLESS you can make sure your website never become target of attacker.

And about error log, leave as is since log help you a lot sometimes.

Thanks.

ps: the media not only email, but malicious website, chat, etc. the concept is how target can open malicious website which design to send form, or etc to targeted website.

Abdelrahman Magraby · Answer 2 · 2015-09-28T12:21:39.870

NO , it`s not safe to turn it off .. you will be vulnerable to cross-site request forgery.

but I think the reason of your problem is not the users taking too much time till they login , because the time set for the cookie that contain the csrf till it`s destroyed is 2 hours .

and if you want to modify this time , you can go to :

vendor\laravel\framework\src\Illminate\Foundation\Http\Middleware\VerifyCsrfToken.php

and you will find a function called addCookieToResponse(), the time is set to :

time()+60*120

which is 2 hours.

Is it safe to turn off csrf in laravel?

2 Answers2