[Zope-dev] CSRF protection for z3c.form

Laurence Rowe l at lrowe.co.uk
Wed Apr 6 15:54:43 EDT 2011


On 6 April 2011 18:52, Roger <dev at projekt01.ch> wrote:
> Hi Laurence
>
>> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
>>
>> On 4 April 2011 16:53, Stephan Richter
>> <srichter at cosmos.phy.tufts.edu> wrote:
>> > On Monday, April 04, 2011, Laurence Rowe wrote:
>> >> The authenticator is described on
>> >> http://pypi.python.org/pypi/plone.protect, but basically
>> it adds an
>> >> HMAC-SHA signed token into the form submission. By validating this
>> >> you know that the submission came from a form that your site
>> >> rendered, rather than an opportunistic 'drive-by' attack
>> from another site.
>> >
>> > So why don't we make this a built-in feature then? The
>> token manager
>> > (I think you call it the authenticator) needs to be smart, since it
>> > needs to deal with stale tokens and similar issues, but
>> otherwise we
>> > could just add an authentication mechanism into z3c.form.
>> >
>> > Mmh, if the token gets stored in the session variable, then
>> we do not
>> > even have to worry about token management, since the
>> session container
>> > has already that logic.
>> >
>> > I have a feeling I am missing a level of complexity here...
>>
>> There should be no need to store anything in sessions, it
>> really is as simple as ensuring that you include a signed
>> token in the form submission that is separate from the user
>> session identifier (as cookies get posted automatically on
>> any form submission.)
>>
>> >> I'm happy to go with (3). I assume it is not common for z3c.form
>> >> users to have non-button actions or customize the
>> ButtonActionHandler?
>> >
>> > Not in my experience.
>>
>> In that case I will attempt to implement it in plone.z3cform
>> first as that will allow me to just reuse the existing
>> plone.protect stuff. My only concern really is how easy it
>> will be to disable for individual forms - as I think it's
>> important to have protection by default. I'm hoping that the
>> following will work:
>>
>> * Register a ProtectedButtonActionHandler on
>> z3c.form.form.Form (to be more specific than the default
>> ButtonActionHandler registered on the IForm interface.)
>>
>> * Register the default ButtonActionHandler on a
>> IUnprotectedForm interface, which individual forms can
>> provide if they need to accept submissions from other sites.
>>
>> For a more general z3c.form protection scheme we can then
>> look at making the zope2 dependencies in plone.protect
>> optional. I would also like to change the token format of
>> plone.protect to include the issue time, so secrets do not
>> need to be rotated to invalidate old tokens, much as
>> plone.session now does:
>> http://pypi.python.org/pypi/plone.session
>
> Does this (optimized) session concept work with (robin arround)
> load balanced servers?

Yes, it has nothing to do with Zope sessions. You can share it between
multiple systems by setting the same shared secret on each one. (In
plone.session the secret is stored in the ZODB, so you only need to
set a shared secret when you want to share login cookies between
multiple plone sites or with other systems.)

> Probably I don't understand some parts of the form token.
> Does the form generate random tokens or allways the same?

A token is generated containing the current user and the time when the
form is rendered, or in the plone.session case when the user logs in.
The token is securely signed using the secret, so it can be
subsequently validated. The time is used to limit validity to say 12
hours (or less if you are feeling paranoid.)

Laurence


More information about the Zope-Dev mailing list