[Catalyst] Re: CSRF

Aristotle Pagaltzis pagaltzis at gmx.de
Wed Oct 1 11:20:04 BST 2008

* Moritz Onken <onken at houseofdesign.de> [2008-10-01 09:25]:
> The best way is to include a random string which has to be
> stored somewhere for comparison on the server side.

Doesn’t have to be stored. Send a random string as well as a HMAC
digest of a server secret plus the same string. To check a token,
check if the random string plus server secret hash to the same
digest as the one provided by the client. Since the server secret
is not known or knowable to third parties, if the digest checks
out, then this token must have been minted by the server. Very
simple; near-zero CPU overhead; no server-side storage required.

Instead of a random string, you can also use useful data: include
a datetimestamp of when you minted that token, and expire tokens
after X period of time.

Better still, include the form action URI in the token.

And the user ID.

Concatenate all these bits, then hash them together with the
server secret using HMAC, then concatenate the resulting hash.
Now you have a token that says “at $datetime, $user was granted
permission to POST to $uri, verifiable by $digest.”

Aristotle Pagaltzis // <http://plasmasturm.org/>

More information about the Catalyst mailing list