I am trying to implement the new tags to remediate the CSRF finding in our scans but can't seem to get the CSRFVerifyToken to work. I found the following snippet and put it on a test page. It appears that the token is being generated but when I try to use the CSRFVerifyToken tag, it returns NO. Is there something that I am doing wrong or do you have to have a setting set in the administrator? We are using most recent CF11.
<cfif isDefined("form.submit") and CSRFVerifyToken(form.token, "make-admin")>
<form action="test.cfm" method="post">
<input type="hidden" name="token" value="#CSRFGenerateToken("make-admin")#" />
<input type="submit" value="Make Administrator" name="submit" />
Do you have sessionManagement enabled in your Application.cfc? Sessions are required to use the CSRF functions.
Yes, I do. The interesting thing is that it does seem to be tied to session management and timeout. I put an Application.cfc in the the same folder with my test page. I set the sessionmanagement = yes and a sessiontimeout for 2 minutes. When I bring up the page and submit, it works fine. I put a timer on my phone and tested at 1 minute 55 seconds. It worked fine. I then reset the timer and tried it again and retested at 2 minutes 5 seconds, it failed. That told me that the token was being stored in the session scope even though a dump doesn't show it. With all that being said, I think that I have it working now. I did alter the generate token tag to forcenew each time and also added the key parameter. My implementation is going to have a 15 minute session timeout. That way if the user lets his session expire, it will log him out due to his session expiring, force him to login again, which will in turn create a new csrf token and a he can proceed. Does it sound like I have a handle on this?
Sounds like you are on the correct track.