• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

CSRFVerifyToken not working

Explorer ,
Aug 24, 2015 Aug 24, 2015

Copy link to clipboard

Copied

I am trying to implement the new tags to remediate the CSRF finding in our scans but can't seem to get the CSRFVerifyToken to work.  I found the following snippet and put it on a test page.  It appears that the token is being generated but when I try to use the CSRFVerifyToken tag, it returns NO.  Is there something that I am doing wrong or do you have to have a setting set in the administrator?  We are using most recent CF11.

<cfif isDefined("form.submit") and CSRFVerifyToken(form.token, "make-admin")>

      perform operation

</cfif>

<form action="test.cfm" method="post">

<cfoutput>

<input type="hidden" name="token" value="#CSRFGenerateToken("make-admin")#" />

</cfoutput>

<input type="submit" value="Make Administrator" name="submit" />

</form>

Views

912

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Aug 25, 2015 Aug 25, 2015

Copy link to clipboard

Copied

Do you have sessionManagement enabled in your Application.cfc?  Sessions are required to use the CSRF functions.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Aug 26, 2015 Aug 26, 2015

Copy link to clipboard

Copied

Yes, I do.  The interesting thing is that it does seem to be tied to session management and timeout.  I put an Application.cfc in the the same folder with my test page.  I set the sessionmanagement = yes and a sessiontimeout for 2 minutes.  When I bring up the page and submit, it works fine.  I put a timer on my phone and tested at 1 minute 55 seconds.  It worked fine.  I then reset the timer and tried it again and retested at 2 minutes 5 seconds, it failed.  That told me that the token was being stored in the session scope even though a dump doesn't show it.  With all that being said, I think that I have it working now.  I did alter the generate token tag to forcenew each time and also added the key parameter.  My implementation is going to have a 15 minute session timeout.  That way if the user lets his session expire, it will log him out due to his session expiring, force him to login again, which will in turn create a new csrf token and a he can proceed.  Does it sound like I have a handle on this?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Aug 26, 2015 Aug 26, 2015

Copy link to clipboard

Copied

LATEST

Sounds like you are on the correct track.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation