Jump to content
Larry Ullman's Book Forums

Stripe Webhooks With Csrf


Jonathon
 Share

Recommended Posts

Jonathon i am sorry to interupt but i want to ask a few questions..

 

Did you enable Csrf on all your forms by adding 'enableCsrfValidation'=>true?

 

If you submit a form through a controller function with 'ajaxOnly + new', can somebody still do a blind attack on one of those?

 

If you used Csrf when would you use it and why?

 

I am sorry i don't have much experience with Csrf and if i enable the feature in Yii most of my site won't work.

Link to comment
Share on other sites

I enabled it in the config yes. I don't think they can no. But you have to pass the csrf token as data into the controller also.

 

That's kind of what i thought, it means if i enable it i will have to update many ajax functions, its a shame you can't just make it independent per form but yii only seems to offer it via that main.php like switch. I think to tighten up security i am going to enable it.

 

Once again sorry to interupt i hope Larry can answer your question very soon when he gets time. Thanks for your help Jonathon. The least i can do is UP your post. Thanks

Link to comment
Share on other sites

Well I keep getting 400 errors in my Stripe response back and in the application log: 

 

[error] [exception.CHttpException.400] exception 'CHttpException' with message 'The CSRF token could not be verified.

 

I feel like i'd sorted this the other day and it was because I was only accessing my site from my own  IP address. I will get back to you if it doesn't resolve itself.

 

Thanks

 

Jonathon

Link to comment
Share on other sites

Ah...I see: Stripe is making a POST request of the page and because there's no CSRF token, Yii is rejecting it. You can disable CSRF validation on specific routes using the noCsrfValidationRoutes configuration. I don't know the exact code off the top of my head, but if you search on that you should find it. If not, let me know!

  • Upvote 1
Link to comment
Share on other sites

Ah...I see: Stripe is making a POST request of the page and because there's no CSRF token, Yii is rejecting it. You can disable CSRF validation on specific routes using the noCsrfValidationRoutes configuration. I don't know the exact code off the top of my head, but if you search on that you should find it. If not, let me know!

 

Cool so there is a way to turn it off in certain places. Larry should we use CSRF for only ajax requests or just for standard POST requests? What i mean is can somebody blind attack and only ajax function with 'ajaxOnly + new' set in the controller.

Link to comment
Share on other sites

You can't use CSRF for Ajax requests, really. Just use it for standard POST requests. And, really, just for ones of a sensitive nature. Yii's ability to use CSRF for all forms is a nice security feature, but it's a blunt tool. 

  • Upvote 1
Link to comment
Share on other sites

Hi Larry,

 

When you say you can't use it, really. What do you mean? I know that when I turned it on a lot of my ajax request fails, this lead me to using things like:

 

 

var token = '<?php echo Yii::app()->request->csrfToken; ?>';

 

and sending it along with the CHtml::ajax data parameter.

  • Upvote 1
Link to comment
Share on other sites

That noCsrfValidationRoutes configuration that Larry mentioned allows you to switch of some of the routes so then the ajax requests won't need them. Now you will know how i feel Jonathon when i was told its better to use Cents and not floats for monetary values, ive got that issue as well as CSRF to deal with.

 

@Larry Thanks for that i thought it may be wasn't necessary for the ajax requests, okay ill do as you say. Actually now i know of the cents method i have decided to go back and recode some of the main web pages of my site. Most of last year i was learning stuff and coding at the same time but now i am writing better code with better understanding. I probably don't need to rabble on like this but i thought i would keep you up to date as your like man that wrote the "Holy Bible of Coding" for me.

Link to comment
Share on other sites

Actually this CSRF routing issue is a custom job extending the CHttpRequest class, there are some details of it in this thread, im going to get that done tomorrow. This is the link i found info for noCsrfValidationRoutes configuration

 

http://www.yiiframework.com/forum/index.php/topic/14173-disable-csrf-token-validation-for-certain-paths/

 

Surprised Yii didn't bother to include that themselves it seems to be something that should be implemented.

Link to comment
Share on other sites

What I meant by can't do CSRF in Ajax is more theoretical. The point of CSRF is to confirm that a user is actively submitting a form on your site. An Ajax request is a separate process that should have its own verification measures. I think of Ajax resources as being more like an API used within a site. 

  • Upvote 1
Link to comment
Share on other sites

 Share

×
×
  • Create New...