cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

CSRFVerifyToken not working

ronboy30
Explorer ,
Aug 24, 2015 Aug 24, 2015

I am trying to implement the new tags to remediate the CSRF finding in our scans but can't seem to get the CSRFVerifyToken to work.  I found the following snippet and put it on a test page.  It appears that the token is being generated but when I try to use the CSRFVerifyToken tag, it returns NO.  Is there something that I am doing wrong or do you have to have a setting set in the administrator?  We are using most recent CF11.

<cfif isDefined("form.submit") and CSRFVerifyToken(form.token, "make-admin")>

      perform operation

</cfif>

<form action="test.cfm" method="post">

<cfoutput>

<input type="hidden" name="token" value="#CSRFGenerateToken("make-admin")#" />

</cfoutput>

<input type="submit" value="Make Administrator" name="submit" />

</form>

1.2K
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 3 Replies 3
latest latest Jump to latest reply
nic_tunney
Engaged ,
Aug 25, 2015 Aug 25, 2015

Do you have sessionManagement enabled in your Application.cfc?  Sessions are required to use the CSRF functions.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
ronboy30
Explorer ,
Aug 26, 2015 Aug 26, 2015
In Response To nic_tunney

Yes, I do.  The interesting thing is that it does seem to be tied to session management and timeout.  I put an Application.cfc in the the same folder with my test page.  I set the sessionmanagement = yes and a sessiontimeout for 2 minutes.  When I bring up the page and submit, it works fine.  I put a timer on my phone and tested at 1 minute 55 seconds.  It worked fine.  I then reset the timer and tried it again and retested at 2 minutes 5 seconds, it failed.  That told me that the token was being stored in the session scope even though a dump doesn't show it.  With all that being said, I think that I have it working now.  I did alter the generate token tag to forcenew each time and also added the key parameter.  My implementation is going to have a 15 minute session timeout.  That way if the user lets his session expire, it will log him out due to his session expiring, force him to login again, which will in turn create a new csrf token and a he can proceed.  Does it sound like I have a handle on this?

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
nic_tunney
Engaged ,
Aug 26, 2015 Aug 26, 2015
LATEST
In Response To ronboy30

Sounds like you are on the correct track.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices