It would be great to have a way to 'persist' tokens for subsequent attempts on requests. Please take a look at this issue which outlines a valid use case for such a scenario.

Via @geggleto

The fix is a guard around [ https://github.com/slimphp/Slim-Csrf/blob/master/src/Guard.php#L204 ], using what I think would be a controllable setting. We would keep the default currently which would be "strict" => true

It seems to work on the first submit, but if submitted again, the tokens are invalid. Any strategies on how to refresh tokens for subsequent Ajax requests with the need for 'refreshed' tokens to pass along?

Hello,

I am using the Gaurd with the following arguments:

new \Slim\Csrf\Guard('csrf', $_, function(Request $request, Response $response, $next) {
  return $response
    ->withStatus(400)
    ->withHeader('Content-type', 'text/plain')
    ->write('Security check failed. Please refresh the page.');
}, 200, 16, true));

I have users reporting that when they leave the page sit 30–60 minutes, the CSRF check fails on the next API request. I have been able to reproduce this on Mobile Safari on iOS. As far as I know, nothing is killing the session, as the user is still logged in. Any idea why this would be happening? I don't see anything in the code about how long to keep the tokens, so I would expect them to last as long as the session.

Right now, we can use the CSRF middleware in one of two ways: either applied to all routes, or on a route-by-route basis.

It would be nice if there were an option to whitelist certain routes, so that CSRF checks are performed on all routes except those explicitly listed.

I have a Page that dynamically loads multiple forms via ajax let say each form is supposed to be a like button,

so when CSFR is disabled forms works fine , and no exception is thrown ,but when enabled the problem appear the problem is the first request will work because the tokens will match but since ajax will not refresh the page the other forms will still have the old token so any subsquent request will not work and "Failed CSRF check!" exception will be thrown , i searched a lot for a solution and i find a tedious one which is to return the new csrf in the response to the AJAX post, then update the value of the csrf token field but it is not a fancy soulotion besides im using a CSRF middleware to append the values automaticly

` public function __invoke($request, $response, $next){

    $nameKey = $this->container->csrf->getTokenNameKey();
    $valueKey = $this->container->csrf->getTokenValueKey();

    $name = $this->container->csrf->getTokenName();
    $value = $this->container->csrf->getTokenValue();

    // Render HTML form which POSTs to /bar with two hidden input fields for the
    // name and value:
    $output  = '<input type="hidden" name="'.$nameKey .'" value="'.$name .'">';
    $output .= '<input type="hidden" name="'.$valueKey.'" value="'.$value.'">';

    // Append The CSRF Gards To The View
    $this->container->view->addAttribute('csrf_gards', $output );

    // Pass the Request to the next one
    $response = $next($request, $response);
    return $response;
}`

a nice approach like CodeIgniter would be to allow this kind of behavior $config['csrf_regenerate'] = FALSE;

so any help would be appreciated

I think the ability to check against GET and other Methods is really nice if you wanna beef up security even more. So here a added a optional parameter array of which methods we wanna check in this function.

To find there variables from other the post data field, we check Headers and query instead.

Hi Josh Lockhart,

I don't believe mt_rand is a nice candidate. So the line

$token = hash("sha512", mt_rand(0, mt_getrandmax()));

seems not safe to me. I don't recall the discussion thread, but there was one.

It was also in @auraphp Session . See commit https://github.com/auraphp/Aura.Session/commit/7e3c8360ff4f5f34d09d87a599a1ac527dbb054a

Later iirc after reviewed by ircmaxwell , it was changed to make use of a RandomInterface, via which you can incorporate something like RandomLib or Random generators.

It will be nice, if there is a way we can incorporate libraries. So only need to deal with one library for security.

https://github.com/auraphp/Aura.Session#defending-against-csrf

Thanks!

Hey, I ruined into the following error: Problem 1 - Root composer.json requires slim/csrf ^1.0.0 -> satisfiable by slim/csrf[1.0.0]. - slim/csrf 1.0.0 requires php ^7.1 -> your php version (8.0.0) does not satisfy that requirement.

My 'testing' solution is removing the required for now and add it manually as remote repository in composer.

Besides that PHP7.1 is (if im right) EOL.

Thanks, Maxi

I don't understand about generation of security tokens. Example:

$app->get('/foo', function ($request, $response, $args) { // CSRF token name and value $nameKey = $this->csrf->getTokenNameKey(); $valueKey = $this->csrf->getTokenValueKey(); $name = $request->getAttribute($nameKey); $value = $request->getAttribute($valueKey); });

$app->post('/bar', function ($request, $response, $args) { // CSRF protection successful if you reached // this far. });

If /foo is public, anyone can generate a token and use to valid the access to another method (/bar). Any help about it?

Hello guys I have a little problem I am using slim 3 framework along with slim-csrf what I did is registering the csrf to the container I aslo created a csrfExtension that extends the twigExtension. in the csrfExtenstion class I created a method that return the csrf fields neede markup this way I don't need to retype the whole markup in my forms I just call the function that I created and it works fine.

Now the problem is in my website admins-panel page there is a lot of ajax requests that I want to apply the csrf on here is where the problem appears the csrf only works for the first request but it will give an error on any other request cause the csrf_name and csrf_value that I am picking from my view has expired so how to get the new csrf_name and csrf_value so I can pass them along with my other ajax requests.

hope you can help me Thanks in advance

Until version 0.8.3 the used token is removed:

        // If we're not in persistent token mode, delete the token.
        if (!$this->persistentTokenMode) {
            $this->removeFromStorage($name);
        }

(https://github.com/slimphp/Slim-Csrf/blob/0.8.3/src/Guard.php#L254-L257) and a new token is generated after validation:

// Need to regenerate a new token, as the validateToken removed the current one.
$request = $this->generateNewToken($request);

(https://github.com/slimphp/Slim-Csrf/blob/0.8.3/src/Guard.php#L152-L153)

Is there any particular reason why the token is no longer deleted in the latest version for slim 4?

https://github.com/slimphp/Slim-Csrf/blob/ebaaf295fd6d7224078d8ae3bba45329b31798c7/src/Guard.php#L240

I'm not really that skilld with Xor operators, but the middleware used to work perfectly before

PHP 8.1.4