From 2be25a6fdb9aa197debca28d1cfe0e0e542296b0 Mon Sep 17 00:00:00 2001 From: RS71 Date: Sat, 31 Dec 2011 16:02:04 -0200 Subject: Update system/core/Security.php --- system/core/Security.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/system/core/Security.php b/system/core/Security.php index 60a64f358..510f3d1ae 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -180,9 +180,14 @@ class CI_Security { // polute the _POST array unset($_POST[$this->_csrf_token_name]); - // Nothing should last forever - unset($_COOKIE[$this->_csrf_cookie_name]); - $this->_csrf_hash = ''; + // Regenerate on every submission? + if (config_item('csrf_regenerate')) + { + // Nothing should last forever + unset($_COOKIE[$this->_csrf_cookie_name]); + $this->_csrf_hash = ''; + } + $this->_csrf_set_hash(); $this->csrf_set_cookie(); -- cgit v1.2.3-24-g4f1b From 4b2e9fea1f34b4b2cff30b3211579e883b31005d Mon Sep 17 00:00:00 2001 From: RS71 Date: Sat, 31 Dec 2011 16:02:50 -0200 Subject: Update application/config/config.php --- application/config/config.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/application/config/config.php b/application/config/config.php index 063c3d5d1..70a9856fd 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -326,12 +326,14 @@ $config['global_xss_filtering'] = FALSE; | 'csrf_token_name' = The token name | 'csrf_cookie_name' = The cookie name | 'csrf_expire' = The number in seconds the token should expire. +| 'csrf_regenerate' = Regenerate token on every submission | 'csrf_exclude_uris' = Array of URIs which ignore CSRF checks */ $config['csrf_protection'] = FALSE; $config['csrf_token_name'] = 'csrf_test_name'; $config['csrf_cookie_name'] = 'csrf_cookie_name'; $config['csrf_expire'] = 7200; +$config['csrf_regenerate'] = TRUE; $config['csrf_exclude_uris'] = array(); /* -- cgit v1.2.3-24-g4f1b From 23ea93bf58bb3ad47bad08c17efa4067abbb5253 Mon Sep 17 00:00:00 2001 From: RS71 Date: Tue, 3 Jan 2012 12:43:16 -0200 Subject: Update user_guide_src/source/libraries/security.rst --- user_guide_src/source/libraries/security.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst index 8ee0c6e77..e7d25555f 100644 --- a/user_guide_src/source/libraries/security.rst +++ b/user_guide_src/source/libraries/security.rst @@ -85,6 +85,10 @@ If you use the :doc:`form helper <../helpers/form_helper>` the form_open() function will automatically insert a hidden csrf field in your forms. +Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following config parameter:: + + $config['csrf_regeneration'] = TRUE; + Select URIs can be whitelisted from csrf protection (for example API endpoints expecting externally POSTed content). You can add these URIs by editing the 'csrf_exclude_uris' config parameter:: -- cgit v1.2.3-24-g4f1b From 0fc6409cae13c6be6749e1f160a144fc90713f8b Mon Sep 17 00:00:00 2001 From: RS71 Date: Tue, 3 Jan 2012 12:50:55 -0200 Subject: Update user_guide_src/source/changelog.rst --- user_guide_src/source/changelog.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 59d2ea88d..b2f247589 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -61,6 +61,8 @@ Release Date: Not Released if they are set manually after initialization. - Minor speed optimizations and method & property visibility declarations in the Calendar Library. - Removed SHA1 function in the :doc:`Encryption Library `. + - Added $config['csrf_regeneration'] to the CSRF protection in the :doc:`Security library `, which makes token regeneration optional. + - Core -- cgit v1.2.3-24-g4f1b