Comments on: CSRF Protection in Code Igniter using Form Tokens http://blog.builtbyprime.com/security/csrf-protection-in-code-igniter-using-form-tokens Prime Studios Sat, 18 Dec 2010 19:00:00 +0000 hourly 1 http://wordpress.org/?v= By: Prime Studios http://blog.builtbyprime.com/security/csrf-protection-in-code-igniter-using-form-tokens/comment-page-1#comment-63 Prime Studios Sun, 07 Nov 2010 23:01:13 +0000 http://blog.primestudiosllc.com/?p=550#comment-63 Most definitely. If you were an admin, and your cookie is sitting in your browser to validate you, you could be tricked into submitting a form on another website, which triggers a "change price" action on your admin site, which would be bad. Thats just one example, and while admin forms are a little tighter because only a select few might have access to the form's code, and know its vulnerabilities, I wouldn't bank on that stopping anyone! Most definitely. If you were an admin, and your cookie is sitting in your browser to validate you, you could be tricked into submitting a form on another website, which triggers a “change price” action on your admin site, which would be bad. Thats just one example, and while admin forms are a little tighter because only a select few might have access to the form's code, and know its vulnerabilities, I wouldn't bank on that stopping anyone!

]]> By: Matt http://blog.builtbyprime.com/security/csrf-protection-in-code-igniter-using-form-tokens/comment-page-1#comment-62 Matt Sun, 07 Nov 2010 01:54:56 +0000 http://blog.primestudiosllc.com/?p=550#comment-62 One more question - what about administration panel forms? (e.g. add new product, add new category etc.) One more question – what about administration panel forms? (e.g. add new product, add new category etc.)

]]> By: Matt http://blog.builtbyprime.com/security/csrf-protection-in-code-igniter-using-form-tokens/comment-page-1#comment-61 Matt Wed, 03 Nov 2010 20:29:46 +0000 http://blog.primestudiosllc.com/?p=550#comment-61 ok,that sounds reasonable.<br>Thanks a lot, your tutorial was really helpful.<br> ok,that sounds reasonable.
Thanks a lot, your tutorial was really helpful.

]]> By: Prime Studios http://blog.builtbyprime.com/security/csrf-protection-in-code-igniter-using-form-tokens/comment-page-1#comment-60 Prime Studios Wed, 03 Nov 2010 19:26:26 +0000 http://blog.primestudiosllc.com/?p=550#comment-60 Thats a good question, and debatable. I typically put a token on each form, just because once it is built into the framework it is easy to do and it keeps all your code similar. It is especially important on e-commerce websites because you don't want a website other than yours to be able to POST form information to your scripts. For instance, if you have a cookie in your browser to keep you logged into your favorite online store, clicking a malicious form on another website could POST to your online store site and execute a function like "add to cart" or "checkout", provided it posts valid information, all because your browser is technically logged in that website. With a token (or nonce), it makes this very difficult.<br><br>Where I don't use tokens is things like "logout" links, or maybe "remove from cart" anchors.. because its not the end of the world if those are somehow compromised. Thats a good question, and debatable. I typically put a token on each form, just because once it is built into the framework it is easy to do and it keeps all your code similar. It is especially important on e-commerce websites because you don't want a website other than yours to be able to POST form information to your scripts. For instance, if you have a cookie in your browser to keep you logged into your favorite online store, clicking a malicious form on another website could POST to your online store site and execute a function like “add to cart” or “checkout”, provided it posts valid information, all because your browser is technically logged in that website. With a token (or nonce), it makes this very difficult.

Where I don't use tokens is things like “logout” links, or maybe “remove from cart” anchors.. because its not the end of the world if those are somehow compromised.

]]> By: Matt http://blog.builtbyprime.com/security/csrf-protection-in-code-igniter-using-form-tokens/comment-page-1#comment-59 Matt Wed, 03 Nov 2010 11:37:38 +0000 http://blog.primestudiosllc.com/?p=550#comment-59 Hi,<br>Should all forms on a website be protected with a token? (For example on a ecommerce website there are many types of forms: add to cart, request a printed catalogue, enquiry form, checkout/order etc.; which of these need a token?) Hi,
Should all forms on a website be protected with a token? (For example on a ecommerce website there are many types of forms: add to cart, request a printed catalogue, enquiry form, checkout/order etc.; which of these need a token?)

]]>