Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93251
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 93373 invoked from network); 11 May 2016 20:13:33 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 May 2016 20:13:33 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.53 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.192.53 mail-qg0-f53.google.com  
Received: from [209.85.192.53] ([209.85.192.53:36245] helo=mail-qg0-f53.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 14/22-28272-C6293375 for <internals@lists.php.net>; Wed, 11 May 2016 16:13:32 -0400
Received: by mail-qg0-f53.google.com with SMTP id w36so30424539qge.3
        for <internals@lists.php.net>; Wed, 11 May 2016 13:13:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-transfer-encoding;
        bh=q6yrlASGqeW0bnwY7yQIOLSKxJrhypRAuNEUMRZKc0A=;
        b=eayPkapHTwzwcBZ5UaWX6YQw5LPRCC/izIrBM52/KPGa6fkZcdYXSO4jBLCGnLTJsz
         ghEfCA94POvll+3cEQ7aFud5kKAM13GYaUaKKONSqQRhl31jvv20Krwn2qhRukVwNok5
         ANN5bn0Iu8Zi8ix+z2BzIFh6uxZsok4ZUYcOOtpv32HfWcP30h7ti9IeL4fdHJgJi9AI
         q2bYAw5g/aVVVt5ogO564Tyj+1+JLhyjriRAqeX4suXEFtEzmg4Frsm0mQME+nkpLrXz
         QA93dM8uE8kk8g4bg4RV95v28KtBp8XC6H4Fsc1woJhv8Qs2Km8xcyGCjIRavJCn7XKm
         1DFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc:content-transfer-encoding;
        bh=q6yrlASGqeW0bnwY7yQIOLSKxJrhypRAuNEUMRZKc0A=;
        b=PRzzdzvTjg3Obhh3PnYWYU2GJOBZAX1NvrXSLfASkYM/9ce9D+4lc2ptudJaHPQ+G7
         PF8oWjzaVCWClmw2GUI72fnFypgBA1qGaxM2TTmmiLJiA0ynlkyzLpkpPT+t5vmjV3jV
         k7MgAK7YB4wCQbp2rolx5daadkdD73/PEBvkh0T3X/thW9DAU/UJgmJD6k8Kk3pXs5UP
         Ju6HnP8DEqUQlVA8Nt9A+oJ/AUmmNyBe6DEO+68ksoSJEpkPY1E9tW07QBU34GIetbLI
         8tCcX2vaX5NC58tRXddtIuMA+EbM83gLoSi0Q7YR1EbqmM75ncDIvMM+3ZzPazee5MY+
         ZzqA==
X-Gm-Message-State: AOPr4FU5LPGJLFVPmFlKCSkrR/gWKqUWO9+4LKAPKw65m8dilvmzNh9XdYRjgtzSWPYJOCDRnF+laKPguR/Lyw==
X-Received: by 10.140.196.74 with SMTP id r71mr5860431qha.41.1462997609071;
 Wed, 11 May 2016 13:13:29 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.140.27.133 with HTTP; Wed, 11 May 2016 13:12:48 -0700 (PDT)
In-Reply-To: <CAF+u_ByFOKd+CyCO5yO_2aSYf2GhLrqb6oLHcvKuNF6W7E+YGg@mail.gmail.com>
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
 <c21d1d4b-a790-e1a9-7c93-2c5af4baf5d1@gmail.com> <CAGa2bXboop3KDFnYtcdO-K+hL0To5te_yeHeFEFO-kCVuzNOJQ@mail.gmail.com>
 <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> <CAGa2bXZwRK0GuXbT53B4w+h5ySiVJnJpo-d87Uiw-reYHi80zQ@mail.gmail.com>
 <CANUQDChxOeydBRLPrvuumf+edqJNKV+TOstGz66X_tg+Y7knPQ@mail.gmail.com>
 <CAGa2bXZC8Qp8-Ggyfj5+0X5aiktSX_AyfRdKAPXFZ=x4+A1XDQ@mail.gmail.com>
 <CANUQDCgi-P4=rWA5H+53_BcWyqeWaC_QOADUNMb_jV70KuhEPw@mail.gmail.com>
 <CAL0xaBFTF28h7ZTCkk=gn2=kepv0xe_Gk0+zjhmZzDmLJYU3-w@mail.gmail.com>
 <CAGa2bXbX_YhpJEr+9XjTb3xxgb2KTw=LEjC97A0vM4_WNiSvnA@mail.gmail.com>
 <CAL0xaBF8e7PhY_hqNYwNvxwRiha1=rUtLBfugUNC2FGf2FndzA@mail.gmail.com> <CAF+u_ByFOKd+CyCO5yO_2aSYf2GhLrqb6oLHcvKuNF6W7E+YGg@mail.gmail.com>
Date: Thu, 12 May 2016 05:12:48 +0900
X-Google-Sender-Auth: eS-CNDp-NPehjrNBKPDkPR3Dtag
Message-ID: <CAGa2bXYaaz7eX5OZ4y4B+3NZo7KF8HSzU+qKh-6omXMWKGJXAQ@mail.gmail.com>
To: =?UTF-8?B?S2lubiBKdWxpw6Nv?= <kinncj@gmail.com>
Cc: Arvids Godjuks <arvids.godjuks@gmail.com>, 
	"internals@lists.php.net" <internals@lists.php.net>, Niklas Keller <me@kelunik.com>, 
	Stanislav Malyshev <smalyshev@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Kinn,

On Wed, May 11, 2016 at 8:36 PM, Kinn Juli=C3=A3o <kinncj@gmail.com> wrote:
> You're making confusion between CSRF and Session Hijacking... In any mome=
nt
> I mentioned about hijacking someone else's session, but to still being ab=
le
> to CSRF (Cross Site Request Forgery).
>
> Any other remote source would still be able to use your "example".
>
> "A is using your own site's contact form, with a plotted csrf token as a
> hidden field in the form, and the same stored in the session".
> With your token solution for asynchronous requests:
> "A is using your own site's contact form, with a csrf token remotely
> requested, and the same stored in its session".
> "B is spamming your site's contact form, with a csrf token remotely
> requested, and the same stored in its session".
>
> Which means: B still being able to CSRF. Which is tottaly different from
> Session Hijacking.

You've said

> The cross site can request the "get_csrf_token.php", store on its session
> (even curl can save the session id cookie or whatever), get the token and
> request the endpoint with the retrieved token and session id.

I probably understand the reason why you misunderstood now.

This CSRF protection is works like Trans SID as RFC introduction
states. It is as secure as Trans SID. If you are curious, study Trans
SID and why it is adequately safe.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net