Does Formo module for Kohana prevent CSRF? I haven't seen any code (tokens etc.) form protecting forms against it. So, is there any built-in solution in Formo or I have to protect forms on my own?
Thanks
Kohana has basic support for CSRF protection.
Check these links:
Docs: http://forum.kohanaframework.org/discussion/2052/csrf-helper/p1
Forum: http://kohanaframework.org/3.2/guide/api/Security#token
It basically means you have to put a token in your forms manually with Security::token();
Like this:
echo Form::hidden('csrf', Security::token());
Then you can check the token where you handle the form via validation:
$array->rules('csrf', array(
'not_empty' => NULL,
'Security::check' => NULL,
));
Related
What is the recommended method of handling user authentication and token creation using Node/Graphql? I see a lot of tutorials out there that use a REST endpoint to authorize the user and generate the token.
While I'm new to the GraphQL scene, I don't see why you wouldn't use GraphQL for this.
For example, why not have a query like this which gets sent to a resolver that checks the user/pass and generates a token? :
mutation {
loginUser (
username: "YOURUSERNAME",
password:"YOURPASSWORD"
)
{
token
}
}
Is there a specific reason that the tutorials I've gone through haven't done it this way? Is there some sort of flaw in this method that I'm not aware of?
The official docs explain the reasoning a bit: https://graphql.org/graphql-js/authentication-and-express-middleware/
Reading between the lines a bit, it seems there isn't any official recommendation to not do this, but existing tools expect headers to be used and classic endpoints so this fits better.
If you start talking about OAUTH you're going to have to implement classic URLs anyways as well to complete that dance.
I am trying to implement CSRF validation in yii . I have written my own class and everything works fine except the fact that my post variable(for the form) does not consist of the token . Am I supposed to set the token myself in the post variable ? Yii documentation states that the post variable is set by a hidden field in every form . Does it require further implementation in the forms as well ? I know the token is not there as I saw the Post variables by dumping them .
I guess everything you need is enable CSRF validation in your config and use CHtml for forms (Yii Guide). Here what you need in config:
'components'=>array(
'request'=>array(
'enableCsrfValidation'=>true,
),
),
In addition to enabling CSRF validation, you need to put the Yii CSRF token in your form. One of the easiest ways I've run into to put it in is to use CHtml beginForm, which puts it in as part of producing your form tag. More info here: http://www.yiiframework.com/doc/api/1.1/CHtml#beginForm-detail
A lot of web frameworks have a standard setup for generating forms with auth tokens.
Do I have to create such measures manually, or does Play come with a build in means of prevening CSRF?
The documentation on the Play website doesn't seem to address this.
I use the play2-authenticitytoken module:
The authenticity token is a way around one of the most serious internet security threats: CRSF attacks. It ensures that the client submitting a form is the one who received the page (and not a hacker who stole your session data).
How it works:
In a nutshell:
on every form post, we add a hidden parameter containing a uuid
the uuid is signed and its signature is stored in the session (which translated into a cookie)
When the user submits the form, we get: the uuid, the signature and the other form inputs.
We sign the incoming uuid again
Validation passes if the signatures match (session.sign=uuid.sign)
Should an attacker inject a different id, he will never figure how to generate the correct signature.
For completeness sake, I have an example here in Scala for Play 2.0
https://github.com/jacobgroundwater/Scala-Play-CSRF
This method also uses the cookie + hidden-field approach.
Example Usage
Use the SessionKey action to help sign a form:
object Application extends Controller {
def login = SessionKey{ (key,signature) =>
Action { implicit request =>
Ok( views.html.login(signature) ).withSession( key->signature )
}
}
}
When parsing forms use the following to check for the signature:
object Authenticator extends Controller {
def login = ValidateForm{
Action { implicit request =>
Ok( views.html.index("You're Loggd In") )
}
}
}
Since Play 2.1 there's support for this in the framework. Nick Carroll wrote a nice little article on how to use it:
http://nickcarroll.me/2013/02/11/protect-your-play-application-with-the-csrf-filter/
I'm upgrading a CakePHP 1.3 app to 2.0.3.
Previously, I was able to use the Auth component to log users in, and use the Security component to emulate Basic HTTP authentication. (as if I had setup an .htaccess file to password protect a page)
I used to do this:
$this->Security->loginOptions = array('type'=>'basic','realm'=>'training');
$this->Security->loginUsers = array("student"=>"student2010");
$this->Security->requireLogin();
Now it appears that even if I use:
public $components = array(
'Auth' => array(
'authenticate' => array('Basic')
)
);
It still wants to use my User model and database. Am I missing something?
Looking at the BaseAuthenticate and BasicAuthenticate classes would suggest that Cake no longer supports defining users and passwords that way.
You would probably have to extend the BasicAuthenticate class and override it's getUser() method.
Perhaps someone else could shed some light on this?
Few fast questions as I'm unable to find such info in docs.
How to validate a single checkbox while creating user using Auth's create_user()?
Any ideas how to validate captcha?
Cheers!
if (isset($_POST['captcha_response']))
{
if (Captcha::valid($_POST['captcha_response']))
{ // you code here 'captcha_response' implies the input name of captcha
}}
I would prefer Validation using client side scripting language such as jquery and not with server side