Kryptix Posted April 28, 2012 Share Posted April 28, 2012 How much work do you to stop CSRF? Like, I've made sure when changing passwords/e-mails (or anything related to account security) they have to confirm their own password so CSRF can't really do much. I've got a header referral check on everything but this is really easy to spoof so without putting hidden tokens in each form is there any easier way? I can't really be bothered and the worst thing they can do is get a user to post a spam post on my forum or something trivial. How far do you take it? Quote Link to comment https://forums.phpfreaks.com/topic/261773-csrf/ Share on other sites More sharing options...
requinix Posted April 28, 2012 Share Posted April 28, 2012 The problem isn't that you're not using CSRF tokens, I can't really be bothered That is the problem. As a user I find it distressing when the person/people maintaining a site I use simply don't care. You just shrug off spam? That shows you have no interest in the health of the forum, and if you don't care then why should I? Quote Link to comment https://forums.phpfreaks.com/topic/261773-csrf/#findComment-1341458 Share on other sites More sharing options...
scootstah Posted April 28, 2012 Share Posted April 28, 2012 I validate CSRF for every POST request. If done properly it takes absolutely zero extra time to implement. There's no excuses for not implementing CSRF. Quote Link to comment https://forums.phpfreaks.com/topic/261773-csrf/#findComment-1341460 Share on other sites More sharing options...
xyph Posted April 29, 2012 Share Posted April 29, 2012 My form class extends a token class I've made. It was very little extra work for me to add tokens to my forms I wouldn't call a CSRF header injection easy though. It's quite tricky to spoof the referrer of another client's browser. Many corporate proxies or paranoid users won't send the referrer header on a legit request, though. Quote Link to comment https://forums.phpfreaks.com/topic/261773-csrf/#findComment-1341471 Share on other sites More sharing options...
scootstah Posted April 29, 2012 Share Posted April 29, 2012 I wouldn't call a CSRF header injection easy though. It's quite tricky to spoof the referrer of another client's browser. Many corporate proxies or paranoid users won't send the referrer header on a legit request, though. I feel that checking the referer is pointless because it can be spoofed. Plus, as you said, it might not even bet set. Quote Link to comment https://forums.phpfreaks.com/topic/261773-csrf/#findComment-1341513 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.