1

I have a page that is open (i.e. requires no login) and allows users to give quick feedback. This page is available on a single shared PC or tablet. The form itself has a CSRF token on it.

Problem is that the time between people submitting responses could be longer than the PHP session time. Solutions seem to be:

  1. using a meta refresh to reload the page every 15 mins (could refresh while someone was giving feedback, so not great)
  2. remove the CSRF token protection (so reducing the security)
  3. adding a javascript timer on the page to only reload the page after 15 mins or no mouse or keyboard input.

Is there another way of dealing with this?

williamsdb
  • 143
  • 1
  • 5
  • "PHP session limit"? What session limit? The session cookie expiry can be set at any value, including forever. Besides, if the session no longer exists, they should be logged out, which is a totally different issue. – Polynomial Jul 01 '15 at 15:39
  • What are you protecting with your CSRF token if the page requires no login? – SilverlightFox Jul 01 '15 at 15:45
  • @polynomial - this session limit: http://stackoverflow.com/questions/1516266/how-long-will-my-session-last – williamsdb Jul 01 '15 at 15:47
  • Right. You can just change `session.gc_maxlifetime` to a larger timeout. The problem described there is that you shouldn't rely upon the PHP GC to time out your session on the server side, because it may not do so immediately after the configured time. It should never time it out *before* that time. – Polynomial Jul 01 '15 at 15:52
  • @SilverlightFox that's a good question and maybe I don't need to (removing certainly would be the simplest solution) but wouldn't someone be able to send through the comment from outside the site. Spoofing the request? This is not my area of expertise (clearly) so I may be misunderstanding. – williamsdb Jul 01 '15 at 15:57
  • It depends whether your site carries other important information in the session. See [this answer](http://security.stackexchange.com/a/85893/8340) for guidence. Even if it doesn't, there is a low risk that an attacker would create a CSRF attack for a page that is publically accessible and would not be tied to session. They would simply be attributing the form submission to the end-user's IP address rather than their own, which would usually be a minor gain. It would probably be better to protect your form with another type of spam protection. – SilverlightFox Jul 01 '15 at 16:02

1 Answers1

0

Given that the page is before login and is low risk I have taken the advice of @sliverlighFox and removed the CSRF from the form which resolves the issue.

williamsdb
  • 143
  • 1
  • 5
  • For an unauthenticated site, CSRF protection is meaningless, yeah. The whole point of CSRF is that your browser automatically sends the auth creds (`Authorization` header or session token cookie) when it sends a request to your site, so an attacker can use CSRF to have logged-in users do things they don't mean to do. If the site doesn't even have a concept of "logged in", it's irrelevant. An attacker who wanted to, say, spam your site would just use `curl` and could pull the token out of a GET response then include it in a POST response easily. – CBHacking Sep 30 '15 at 22:13