feat: add CSRF token randomization #5283

kenjis · 2021-11-04T10:21:04Z

Description

To avoid BREACH attacks
add Config\Security::$tokenRandomize (default is false)
if Config\Security::$tokenRandomize is true
- randomize CSRF token with random key and XOR

Checklist:

MGatner

I'm not great with cryptography. This looks good to me but I would like it if someone else reviewed as well.

system/Security/Security.php

tests/system/Security/SecurityCSRFSessionRandomizeTokenTest.php

To make it easier to identify binary or hex

Because the use case where users want to increase the value is assumed.

kenjis · 2021-11-14T02:06:37Z

I added User Guide.

kenjis · 2021-11-14T23:54:50Z

Thanks, guys!

feat: add CSRF token randomization

0355175

MGatner approved these changes Nov 7, 2021

View reviewed changes

kenjis added the enhancement PRs that improve existing functionalities label Nov 9, 2021

paulbalandan reviewed Nov 13, 2021

View reviewed changes

kenjis added 6 commits November 14, 2021 09:15

refactor: rename variable names

f95e75f

To make it easier to identify binary or hex

refactor: CSRF_HASH_BYTES can be overridden

1037f7f

Because the use case where users want to increase the value is assumed.

test: add $this->expectExceptionMessage();

1811d00

docs: add Token Randomization to user guide

b1bc7ba

test: fix assertions

29bfacf

test: refactor MockSecurity

899d7d4

kenjis requested a review from paulbalandan November 14, 2021 02:06

MGatner approved these changes Nov 14, 2021

View reviewed changes

paulbalandan approved these changes Nov 14, 2021

View reviewed changes

kenjis merged commit c8f126d into codeigniter4:develop Nov 14, 2021

kenjis deleted the feat-csrf-token-randomization branch November 14, 2021 23:53

Provide feedback