Highlighted

CSRFVerifyToken not working

Explorer ,
Aug 24, 2015

Copy link to clipboard

Copied

I am trying to implement the new tags to remediate the CSRF finding in our scans but can't seem to get the CSRFVerifyToken to work.  I found the following snippet and put it on a test page.  It appears that the token is being generated but when I try to use the CSRFVerifyToken tag, it returns NO.  Is there something that I am doing wrong or do you have to have a setting set in the administrator?  We are using most recent CF11.

<cfif isDefined("form.submit") and CSRFVerifyToken(form.token, "make-admin")>

      perform operation

</cfif>

<form action="test.cfm" method="post">

<cfoutput>

<input type="hidden" name="token" value="#CSRFGenerateToken("make-admin")#" />

</cfoutput>

<input type="submit" value="Make Administrator" name="submit" />

</form>

Views

554

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

CSRFVerifyToken not working

Explorer ,
Aug 24, 2015

Copy link to clipboard

Copied

I am trying to implement the new tags to remediate the CSRF finding in our scans but can't seem to get the CSRFVerifyToken to work.  I found the following snippet and put it on a test page.  It appears that the token is being generated but when I try to use the CSRFVerifyToken tag, it returns NO.  Is there something that I am doing wrong or do you have to have a setting set in the administrator?  We are using most recent CF11.

<cfif isDefined("form.submit") and CSRFVerifyToken(form.token, "make-admin")>

      perform operation

</cfif>

<form action="test.cfm" method="post">

<cfoutput>

<input type="hidden" name="token" value="#CSRFGenerateToken("make-admin")#" />

</cfoutput>

<input type="submit" value="Make Administrator" name="submit" />

</form>

Views

555

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Aug 24, 2015 0
Engaged ,
Aug 25, 2015

Copy link to clipboard

Copied

Do you have sessionManagement enabled in your Application.cfc?  Sessions are required to use the CSRF functions.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 25, 2015 0
Explorer ,
Aug 26, 2015

Copy link to clipboard

Copied

Yes, I do.  The interesting thing is that it does seem to be tied to session management and timeout.  I put an Application.cfc in the the same folder with my test page.  I set the sessionmanagement = yes and a sessiontimeout for 2 minutes.  When I bring up the page and submit, it works fine.  I put a timer on my phone and tested at 1 minute 55 seconds.  It worked fine.  I then reset the timer and tried it again and retested at 2 minutes 5 seconds, it failed.  That told me that the token was being stored in the session scope even though a dump doesn't show it.  With all that being said, I think that I have it working now.  I did alter the generate token tag to forcenew each time and also added the key parameter.  My implementation is going to have a 15 minute session timeout.  That way if the user lets his session expire, it will log him out due to his session expiring, force him to login again, which will in turn create a new csrf token and a he can proceed.  Does it sound like I have a handle on this?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 26, 2015 0
Engaged ,
Aug 26, 2015

Copy link to clipboard

Copied

Sounds like you are on the correct track.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 26, 2015 0