ClearFoundation Tracker - ClearOS
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0016711ClearOSclearos-frameworkpublic2017-08-28 19:492017-09-13 12:09
Reporterbchambers 
Assigned Tobchambers 
PrioritynormalSeverityminorReproducibilitysometimes
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version7.4.0 Beta 1 
Target Version7.4.0 Beta 1Fixed in Version7.4.0 Beta 1 
Summary0016711: Ajax "POST's" cause CSRF 403's
DescriptionPOST.

If user submits a POST form, CSRF will fail.
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
related to 0015311closed user2 Upgrade engine to CodeIgniter 3.1.x 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2017-08-28 19:49bchambersNew Issue
2017-08-28 19:49bchambersStatusnew => assigned
2017-08-28 19:49bchambersAssigned To => bchambers
2017-08-28 21:20user2Relationship addedduplicate of 0015311
2017-08-28 21:21user2Severitymajor => minor
2017-08-28 21:26user2Note Added: 0006391
2017-08-28 21:27user2Relationship replacedrelated to 0015311
2017-08-29 07:20bchambersNote Added: 0006401
2017-08-31 09:04user2Target Version => 7.4.0 Beta 1
2017-09-02 15:30user2Categoryapp-marketplace - Marketplace => clearos-framework
2017-09-02 15:34user2Note Added: 0006421
2017-09-02 15:35user2Statusassigned => resolved
2017-09-02 15:35user2Fixed in Version => 7.4.0 Beta 1
2017-09-02 15:35user2Resolutionopen => fixed
2017-09-13 12:09user2Statusresolved => closed

Notes
(0006391)
user2   
2017-08-28 21:26   
Note: severity set to minor since this a change from the unreleased and unverified 0015311.
(0006401)
bchambers   
2017-08-29 07:20   
Pete,

There's 3 ways we could go with this:

https://stackoverflow.com/questions/41398753/regenerate-crsf-token-codeigniter-on-submit-ajax [^]

1. Messy but secure - get and set the regenerated CSRF and update values in any forms.
2. Easy, but less secure and not scalable - Disable CSRF protection on certain routes (eg. AJAX). However, since these are specified in the framework, app developers are left out of the loop.
3. Easy but least secure - Disable regeneration of CSRF tokens.

I think 2 is out due to scalability issues...doubt you want to go down path 3, so 1 it is???
(0006421)
user2   
2017-09-02 15:34   
0000003 is fine for the webconfig use case. Note: the CSRF token will be regenerated on every login session.