pillarjs / csrf Goto Github PK
View Code? Open in Web Editor NEWLogic behind CSRF token creation and verification.
License: MIT License
Logic behind CSRF token creation and verification.
License: MIT License
Hi,
as reported for session middleware:
expressjs/session#49
Could you please consider to use another module instead of uid2 ?
In that issue I suggested node-uuid, but rand-token is now used. Could you please consider to make same change here?
L.
Hello,
We use this module in our code.
According to what we see, you use Math.random() which does not produce cryptographically safe random numbers.
Is it possible to switch to some strong RNG, like "crypto.randomBytes" for example?
Thank you and Best Regards,
Zvi
If we change this to basically a class, theoretically if we just attached the tokenize function to the prototype, people could overwrite the function on instances themselves or even subclass this.
Thoughts, @jonathanong ? Are there people even using the tokenize
option?
I am looking forward to a release, which includes 43f660a
Don't you think, one should attach a domain to token creation, which means if token is received from a different domain it will be discarded.
tokens.create(secret, domain)
tokens.verify(secret, token, domain)
First i agree, it is not this module problem to deal with sessions or cookies. But as a general approach i will do following with this module.
Now the problem is, anyone can quickly grab this token by visiting a webpage on my website. Also they can copy the session from the network tab.
After this all one need to do is make CURL request by setting above values and VOILA csrf has been compromised.
If I understand correctly:
That's how koa-csrf
appear to be using it.
I know create token is fast, only concern I have is refreshing token cause Set-Cookie
every time, seem to be less than performant, any alternative available if I am to write my own csrf middleware?
I was looking through the code to understand the security model and noticed that the CSRF is being hashed with SHA-1. There's a lot of talk about replacing SHA-1 with harder to break hashing function (eg. SHA-256) in other areas so it worried me at first to see SHA-1 used to protect CSRFs. But then I got to thinking about it more... why are we hashing the CSRF? AFAIK the CSRF (even in plaintext) is not enough for a malicious agent to generate the cookie that they would need to steal a session.
What threat does hashing the CSRF token secure against as opposed to storing the CSRF in plain text in both the browser javascript and the cookie? And if the hashing is important to security of CSRFs should we be migrating CSRF to SHA-256?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.