2

I'm implementing CSRF protection using the Encrypted Token Pattern (as per https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Encrypted_Token_Pattern).

I understand that the 2 main differences between that pattern and the Double Submit Cookie Pattern are: 1. the token itself is an encrypted token, with expiration 2. the token is stored not in cookie, but instead in DOM element or JS variable (through minified, obfuscated external JS file).

I also understand that just as other prevention methods, this one as well is not safe if your site is vulnerable for XSS attacks.

my questions are: 1. what would be the recommended expiration to give to the token? for example if my site session lasts 12 hours, would it be OK to set expiration of 1 hour, or is it recommended to be limited to minutes/seconds? 2. how do you handle expiration from UX perspective, in case the expiration is short? for example - if the page was loaded at 0sec, but the action was submitted by the user at 80sec and the expiration is 60sec - the submitted token would be expired and the action would fail.

Thanks, Gonen

Improve this question

2 Answers 2

Reset to default
1

My first question would be, why don't you use the recommended synchronizer token pattern?

Anyway, while the answers to your questions have not been formally defined, it is possible to provide you with general recommendations based on the synchronizer token pattern.

  1. The recommended expiration time would be the session duration (the .NET antiforgerytoken attribute, for example, will be able to validate the anti-CSRF token as long as your session cookies are valid, even if you only submit once at the end of the session.)
  2. You don't, in the case of an expired token, you simply reload the page and tell the user that something went wrong and that he/she has to submit the form again. Referring to 1, this will only happen in case of session expiration.
Improve this answer
4
  • Regarding synchronizer token pattern: I actually not sure I understand the difference. Commented Mar 5, 2015 at 15:09
  • Regarding synch-token-pattern: I'm actually not sure I understand the difference. it says that this is a single token that is generated per session, and used throughout the session. isn't that "weaker" than a token per action? anyway, the main reason to go with encrypted token, is the wish to have a stateless implementation, because the application in question usually used in many concurrent tabs, and overriding tokens in the session (tokens used to be per-form) happens sometimes. as for the answers - it's great to know that this is the case. indeed makes it easier to disregard expiration. Commented Mar 5, 2015 at 15:15
  • @Gonen That is indeed weaker, however, further in the OWASP explanation of the synchronizer token pattern, it is mentioned that "To further enhance the security of this proposed design, consider randomizing the CSRF token parameter name and or value for each request". Upon server-side validation of the token, generate a new one and send the new one back to the client. Commented Mar 5, 2015 at 15:19
  • so this is basically what we were doing until now. whenever a form was rendered to the browser, it included its own dedicated token which was also stored in the session, and the validation was to compare the posted value to the one stored in session. as I said, the main drive in the change that I was working on was to become stateless, due to all issues of tokens overriding each other when working in tabs or in some race-conditions of AJAX calls that are being sent simultaneously. Commented Mar 5, 2015 at 15:27
2

Here is a very condensed breakdown on the differences between the Encrypted and Synchronizer Token patterns:

  • The Encrypted Token Patterns does not require server-state
  • It does not require cookies It does not require two tokens
  • It does not require any effort on the client-side other than including the token in HTTP requests
  • It does not require any other application in a subdomain to be XSS-proof

Essentially, the main difference from an implementation-perspective is that the Synchronizer Token Pattern requires 2 tokens, whereas the Encrypted Token Pattern leverages a single token. Michael's answer covers your questions in terms of timeout and UI-refresh. For more information on the subject, I've just posted this entry on how to leverage the Encrypted Token Pattern in ASP.NET. I'm happy to answer any questions you may have on the subject (I designed the Encrypted Token Pattern).

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.