Geek Answers Handbook

CSRF Results Against Nonce Confusion - Are They The Same?

In an attempt to make the current application that I am developing more secure, I read about CSRF tokens as well as Nonce.

My question is just this: are CSRF and Nonce tokens the same thing? from the fact that I could conclude that both of these methods have different methods to achieve the same goal, or am I misunderstanding something?

If they are different, could you please provide a good code example or provide me with links where I can learn more about how to implement one-time numbers in PHP applications.

Thanks!

+13
php csrf nonce
source share
4 answers

A one-time number is usually some random string that is added to the request only to unpredictably change the data that is used to calculate the signature. Therefore, nonce is usually not used by any server-side business logic.

Although the CSRF token is stored somewhere on the server, it is passed to the client and must be returned to the server for comparison. And if it matches, then OK.

So in your case it would be better to save the csrf token in a session variable once, for example

$_SESSION['csrf_token'] = bin2hex(random_bytes(16));

and use it unchanged during the life of the session in all forms that are in your application.

(If you don't have random_bytes() , use random_compat to populate it.)

+13
source share

No, they are not the same.

Nonce prevents re-attacks (prevents the interception of the subscriber and re-submission of it later, for example, if Alice sends "Pay Bob $ 100", you do not want anyone to forward this 100 times).

CSRF aliases fix an HTML-specific vulnerability when authenticating user actions where a third-party website can submit forms with the credentials of the user viewing the site (for example, JavaScript on the evil.example.com page that submits the form to facebook.com using your browser authenticated as you).

CSRF characters must be secret, otherwise the attacker will have the missing piece necessary to fake the request.

Nonces should not be secret if they are signed with a secret request (if an attacker cannot replace one nonce with another).

You can allow requests to be repeated using CSRF tokens and still be protected from CSRF (you are interested in whether this was a deliberate action by the user, but it may not necessarily stop the user from performing it many times).

In fact, this is a very often useful property, for example. allows users to use the back button and resubmit forms with corrected values. If you implement CSRF protection using the Nonce-like mechanism, you will receive false alarms when users update the submitted pages.

An easy way to prevent CSRF without Nonces is to set the session identifier in a hidden field (not the value stored in the session, but the identifier of the session itself, the same as you save in the cookie [ session_id() in PHP]). When the form is submitted, verify that the form ID matches the cookie ID. This is sufficient for CSRF, since the attacker cannot know the value of the cookie (CSRF allows attackers to blindly send cookies).

+14
source share

It is the same. Nonce is just a one-time password. It can serve as a cryptographic salt, but basically it is just a random value. See WP: Nonce

But to summarize, nonce is often used as a CSRF token. This is an implementation detail. The difference with other use cases is that it gets confirmation later.

+7
source share

CSRF has some limitations. in case you have a requirement where you want to open any page or link in a new tab, CSRF will not allow it. An existing token will allow opening a page in a new tab only 5 times. when you try to open the 6th time, it will create a new token that will not match the "server side = client side token". the previous token expires and a new token (NONCE) is created, in this case you will receive a 404 or 405 error.

0
source share

More articles:


All Articles