0

During some basic security test. When the apache request sent with same custom header-CSRF-cookie and POST-CSRF-Cookie.

CSRF token get validated and request is processed.

I have gone through the implementation.

$valid = isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name])
            && is_string($_POST[$this->_csrf_token_name]) && is_string($_COOKIE[$this->_csrf_cookie_name])
            && hash_equals($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]);

Both verifying data is from client-side.

hash_equals($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name])

Is there any purpose that CodeIgniter implementation in this ways.

Does anyone tried to implement it in session instead of cookie?

Aghilan B
  • 493
  • 7
  • 18
  • What you need to do? Question is not clear – Siddhartha esunuri Oct 03 '20 at 06:24
  • Instead of storing CSRF token in client side cookie. I want it to store in session variable. – Aghilan B Oct 03 '20 at 08:57
  • 1
    You are not understanding the principles behind CSRF - Here is some reading on the matter - https://stackoverflow.com/questions/2581488/understanding-csrf – TimBrownlaw Oct 03 '20 at 09:33
  • HI @TimBrownlaw . In CodeIgniter the token is generated with **md5 hashing**. md5 is 32 char length, right. But I sent a cookie with token with only 5 digit and post token same 5 digit. The process is successfully completed without any issue. But I think the process has to be stopped in this case. – Aghilan B Oct 05 '20 at 05:33

0 Answers0