Jonathon Posted February 11, 2014 Share Posted February 11, 2014 Hi Larry, When working with webhooks. How do you get passed the CSRF token not being able to be verified? Link to comment Share on other sites More sharing options...
Edward Posted February 12, 2014 Share Posted February 12, 2014 Jonathon i am sorry to interupt but i want to ask a few questions.. Did you enable Csrf on all your forms by adding 'enableCsrfValidation'=>true? If you submit a form through a controller function with 'ajaxOnly + new', can somebody still do a blind attack on one of those? If you used Csrf when would you use it and why? I am sorry i don't have much experience with Csrf and if i enable the feature in Yii most of my site won't work. Link to comment Share on other sites More sharing options...
Jonathon Posted February 12, 2014 Author Share Posted February 12, 2014 I enabled it in the config yes. I don't think they can no. But you have to pass the csrf token as data into the controller also. 1 Link to comment Share on other sites More sharing options...
Edward Posted February 13, 2014 Share Posted February 13, 2014 I enabled it in the config yes. I don't think they can no. But you have to pass the csrf token as data into the controller also. That's kind of what i thought, it means if i enable it i will have to update many ajax functions, its a shame you can't just make it independent per form but yii only seems to offer it via that main.php like switch. I think to tighten up security i am going to enable it. Once again sorry to interupt i hope Larry can answer your question very soon when he gets time. Thanks for your help Jonathon. The least i can do is UP your post. Thanks Link to comment Share on other sites More sharing options...
Larry Posted February 14, 2014 Share Posted February 14, 2014 Hello Jonathon, I'm not exactly sure what you're asking here. I don't quite see how CSRF would come into play with webhooks, but maybe I'm missing something. Link to comment Share on other sites More sharing options...
Jonathon Posted February 14, 2014 Author Share Posted February 14, 2014 Well I keep getting 400 errors in my Stripe response back and in the application log: [error] [exception.CHttpException.400] exception 'CHttpException' with message 'The CSRF token could not be verified. I feel like i'd sorted this the other day and it was because I was only accessing my site from my own IP address. I will get back to you if it doesn't resolve itself. Thanks Jonathon Link to comment Share on other sites More sharing options...
Larry Posted February 15, 2014 Share Posted February 15, 2014 Ah...I see: Stripe is making a POST request of the page and because there's no CSRF token, Yii is rejecting it. You can disable CSRF validation on specific routes using the noCsrfValidationRoutes configuration. I don't know the exact code off the top of my head, but if you search on that you should find it. If not, let me know! 1 Link to comment Share on other sites More sharing options...
Jonathon Posted February 15, 2014 Author Share Posted February 15, 2014 Yeah, I did see that. and I realised how I over came this in testing. I turned the CSRF off - Ha! I have seen the code you talk of and will get on that. Thanks Jonathon Link to comment Share on other sites More sharing options...
Edward Posted February 16, 2014 Share Posted February 16, 2014 Ah...I see: Stripe is making a POST request of the page and because there's no CSRF token, Yii is rejecting it. You can disable CSRF validation on specific routes using the noCsrfValidationRoutes configuration. I don't know the exact code off the top of my head, but if you search on that you should find it. If not, let me know! Cool so there is a way to turn it off in certain places. Larry should we use CSRF for only ajax requests or just for standard POST requests? What i mean is can somebody blind attack and only ajax function with 'ajaxOnly + new' set in the controller. Link to comment Share on other sites More sharing options...
Larry Posted February 17, 2014 Share Posted February 17, 2014 You can't use CSRF for Ajax requests, really. Just use it for standard POST requests. And, really, just for ones of a sensitive nature. Yii's ability to use CSRF for all forms is a nice security feature, but it's a blunt tool. 1 Link to comment Share on other sites More sharing options...
Jonathon Posted February 17, 2014 Author Share Posted February 17, 2014 Hi Larry, When you say you can't use it, really. What do you mean? I know that when I turned it on a lot of my ajax request fails, this lead me to using things like: var token = '<?php echo Yii::app()->request->csrfToken; ?>'; and sending it along with the CHtml::ajax data parameter. 1 Link to comment Share on other sites More sharing options...
Edward Posted February 19, 2014 Share Posted February 19, 2014 That noCsrfValidationRoutes configuration that Larry mentioned allows you to switch of some of the routes so then the ajax requests won't need them. Now you will know how i feel Jonathon when i was told its better to use Cents and not floats for monetary values, ive got that issue as well as CSRF to deal with. @Larry Thanks for that i thought it may be wasn't necessary for the ajax requests, okay ill do as you say. Actually now i know of the cents method i have decided to go back and recode some of the main web pages of my site. Most of last year i was learning stuff and coding at the same time but now i am writing better code with better understanding. I probably don't need to rabble on like this but i thought i would keep you up to date as your like man that wrote the "Holy Bible of Coding" for me. Link to comment Share on other sites More sharing options...
Edward Posted February 19, 2014 Share Posted February 19, 2014 Actually this CSRF routing issue is a custom job extending the CHttpRequest class, there are some details of it in this thread, im going to get that done tomorrow. This is the link i found info for noCsrfValidationRoutes configuration http://www.yiiframework.com/forum/index.php/topic/14173-disable-csrf-token-validation-for-certain-paths/ Surprised Yii didn't bother to include that themselves it seems to be something that should be implemented. Link to comment Share on other sites More sharing options...
Jonathon Posted February 19, 2014 Author Share Posted February 19, 2014 CSRF is disabled by default in 1.1x though. So it would be providing additional code for something that is optional. It is enabled in 2.0 by default though. Link to comment Share on other sites More sharing options...
Edward Posted February 20, 2014 Share Posted February 20, 2014 Yeah but we are using Yii 1, that's the problem here. What are you going to do write the custom code for disabling some controller/action routes or are you just going to leave things the way they are? Link to comment Share on other sites More sharing options...
Jonathon Posted February 20, 2014 Author Share Posted February 20, 2014 No, I just passed the token through the ajax request. But if you have loads, it's probably quicker to use "nocsrf" in config Link to comment Share on other sites More sharing options...
Larry Posted February 21, 2014 Share Posted February 21, 2014 What I meant by can't do CSRF in Ajax is more theoretical. The point of CSRF is to confirm that a user is actively submitting a form on your site. An Ajax request is a separate process that should have its own verification measures. I think of Ajax resources as being more like an API used within a site. 1 Link to comment Share on other sites More sharing options...
Recommended Posts