Before, I was using CakePHP's Security component to defend against CSRF attacks. This component generates a secret token and includes it as a hidden field on every page. On every request, CakePHP checks to see if the token coming back from the POST data matches the expected value. If not, the request is denied. This is a pretty bulletproof way to stop CSRF attacks.
However, the Security component was giving me random bugs, and after about two hours of research and debugging, I decided to finally give it the axe. I won't have the tokens any more, but I am requiring all actions that change state be either POST, PUT, or DELETE, depending on the action. Also, the session timeout is set for 10 minutes. These two things will reduce the risk of CSRF attacks as well. I've decided not to check the referer because a lot of school networks strip this off of their HTTP traffic and I'd be denying legitimate users.
Also, I don't allow users to upload images or scripts. All user input is severely sanitized.
The measures I have in place are not 100% bulletproof against CSRF, but in my judgement they're good enough. It would be very difficult for an attacker to be successful.
Today I finished the Delete User and Log In pages, with SHA1 password hashing and everything. I have a few placeholders that the User model depends on, which I hope to get to next. Actually my next project is authentication.
CakePHP has a built-in component for this too, but it won't suit my needs. It requires only one username and one password field. But I want my users to log in with their first name, last name, and password. There's no way to hack around that limitation in Cake, so I'll be writing my own authentication methods. This isn't a bad thing because I'll have a much deeper understanding of how it works.
The login page is pretty because it has a picture on it.
No comments:
Post a Comment