43
linuxxx
7y

I'm losing my fucking mind right fucking here.

Setting an anti-csrf token in the index.php file ONCE. Yes, I triple trillion checked, only fucking once.

Print it to the page as test, fair enough, looks good.

Send an ajax request to the server:
AN ENTIRELY FUCKING DIFFERENT TOKEN 😡

Fucking hell.

Comments
  • 5
    I've never even bothered with CSRF.
    How important is it?
  • 0
    @Frederick Does that work by checking the hash of the body?
  • 4
    @Frederick CSRF codes can protect against some bots but very much against session hijacking through XSS vulnerabilities.

    And yes also the thing you described!
  • 0
    @AlexDeLarge Good to know. Implementing that then.
  • 6
    Just let a friend/fellow devRanter review the code. Their reaction: weird...

    😅
  • 0
    Ehh, using ajax with csrf tokens is usually pretty sketchy cuz u might overwrite a cookie during the ajax request. Try doing it with a full post? Unless ur form has to be submitted through ajax
  • 0
    @iexx Why would that be sketchy? And yeah I checked, the right session is being submitted (there's only one anyways)
  • 0
    @linuxxx nah not the session cookie, but if ur server side is set up to generate a new token per request, it could replace the server's copy of the csrf token (this happened to me before
  • 0
    @iexx True and it is setup to do that but ONLY with the index.php and I'm calling other php files
  • 0
    @linuxxx hmm idk then, that's all I could think of. good luck this kinda thing is tough to get right
  • 2
    @CoffeeNcode It appeared to be a forgotten ajax call which called "nope" and that appearantly got directed to index.php :)
  • 2
    @PrivateGER just to add to the above, laravel has it too, in form of just putting a "@csrf" into your forms (in your template files) and also enforces them, by simply declining certain requests if theres no csrf
  • 1
    @CoffeeNcode laravel is based on symfony components :P
Add Comment