csrfprotectionmodelbehavior This is another common attack against web sites and applications.

  1. Overview
  2. ACTION
  3. VIEW
  4. BEHAVIOR

Overview

This is another common attack against web sites and applications. Forms designed to perform tasks such as user registration or adding comments are vulnerable to this attack.

The idea is to prevent the form values from being sent outside our application. To fix this, we generate a random nonce (token) in each form, add the token in the session and then validate the token once the form posts data back to our application by comparing the stored token in the session to the one submitted by the form:

ACTION 

public function actionLogin()
{
    $loginForm = new LoginForm;
    if (isset($_POST['LoginForm'])) {
           $loginForm->attributes = $_POST['LoginForm'];
          if (
               $loginForm->validate(array('username', 'password')) && 
               $loginForm->login()
           ) {
                $this->redirect(array('/user/index'));
          }
     }
     $loginForm->createToken(true);
     $this->render('login', array('loginForm' => $loginForm));
}

VIEW 

$form = $this->beginWidget('CActiveForm');
......
echo $model->createTokenField(); 
.......
$this->endWidget();

BEHAVIOR

ADD BEHAVIOR TO MODEL

"CSRFProtectorBehavior" => array(
  "class" => 'CSRFProtectorBehavior',
  'tokenErrorMessage' => Yii::t('app', 'Validacijski token nije ispravan')
)
0 0
5 followers
320 downloads
Yii Version: Unknown
License: BSD-2-Clause
Category: Security
Tags: csrf, Security, web
Developed by: Igor Ivanovic
Created on: Jul 5, 2013
Last updated: 11 years ago

Downloads

show all

Related Extensions