Merge pull request #5201 from kenjis/add-csrf-session

Add Session based CSRF Protection

Author: kenjis

app/Config/Security.php

@@ -6,6 +6,17 @@
 
 class Security extends BaseConfig
 {
+    /**
+     * --------------------------------------------------------------------------
+     * CSRF Protection Method
+     * --------------------------------------------------------------------------
+     *
+     * Protection Method for Cross Site Request Forgery protection.
+     *
+     * @var string 'cookie' or 'session'
+     */
+    public $csrfProtection = 'cookie';
+
     /**
      * --------------------------------------------------------------------------
      * CSRF Token Name

depfile.yaml

@@ -193,6 +193,7 @@ ruleset:
     - HTTP
   Security:
     - Cookie
+    - Session
     - HTTP
   Session:
     - Cookie

env

@@ -110,6 +110,7 @@
 # SECURITY
 #--------------------------------------------------------------------
 
+# security.csrfProtection = 'cookie'
 # security.tokenName = 'csrf_token_name'
 # security.headerName = 'X-CSRF-TOKEN'
 # security.cookieName = 'csrf_cookie_name'

system/Security/Security.php

@@ -14,6 +14,7 @@
 use CodeIgniter\Cookie\Cookie;
 use CodeIgniter\HTTP\RequestInterface;
 use CodeIgniter\Security\Exceptions\SecurityException;
+use CodeIgniter\Session\Session;
 use Config\App;
 use Config\Cookie as CookieConfig;
 use Config\Security as SecurityConfig;
@@ -27,6 +28,18 @@
  */
 class Security implements SecurityInterface
 {
+    public const CSRF_PROTECTION_COOKIE  = 'cookie';
+    public const CSRF_PROTECTION_SESSION = 'session';
+
+    /**
+     * CSRF Protection Method
+     *
+     * Protection Method for Cross Site Request Forgery protection.
+     *
+     * @var string 'cookie' or 'session'
+     */
+    protected $csrfProtection = self::CSRF_PROTECTION_COOKIE;
+
     /**
      * CSRF Hash
      *
@@ -128,6 +141,13 @@ class Security implements SecurityInterface
      */
     private $rawCookieName;
 
+    /**
+     * Session instance.
+     *
+     * @var Session
+     */
+    private $session;
+
     /**
      * Constructor.
      *
@@ -141,11 +161,12 @@ public function __construct(App $config)
 
         // Store CSRF-related configurations
         if ($security instanceof SecurityConfig) {
-            $this->tokenName     = $security->tokenName ?? $this->tokenName;
-            $this->headerName    = $security->headerName ?? $this->headerName;
-            $this->regenerate    = $security->regenerate ?? $this->regenerate;
-            $this->rawCookieName = $security->cookieName ?? $this->rawCookieName;
-            $this->expires       = $security->expires ?? $this->expires;
+            $this->csrfProtection = $security->csrfProtection ?? $this->csrfProtection;
+            $this->tokenName      = $security->tokenName ?? $this->tokenName;
+            $this->headerName     = $security->headerName ?? $this->headerName;
+            $this->regenerate     = $security->regenerate ?? $this->regenerate;
+            $this->rawCookieName  = $security->cookieName ?? $this->rawCookieName;
+            $this->expires        = $security->expires ?? $this->expires;
         } else {
             // `Config/Security.php` is absence
             $this->tokenName     = $config->CSRFTokenName ?? $this->tokenName;
@@ -155,13 +176,28 @@ public function __construct(App $config)
             $this->expires       = $config->CSRFExpire ?? $this->expires;
         }
 
-        $this->configureCookie($config);
+        if ($this->isCSRFCookie()) {
+            $this->configureCookie($config);
+        } else {
+            // Session based CSRF protection
+            $this->configureSession();
+        }
 
         $this->request = Services::request();
 
         $this->generateHash();
     }
 
+    private function isCSRFCookie(): bool
+    {
+        return $this->csrfProtection === self::CSRF_PROTECTION_COOKIE;
+    }
+
+    private function configureSession(): void
+    {
+        $this->session = Services::session();
+    }
+
     private function configureCookie(App $config): void
     {
         /** @var CookieConfig|null $cookie */
@@ -253,7 +289,12 @@ public function verify(RequestInterface $request)
 
         if ($this->regenerate) {
             $this->hash = null;
-            unset($_COOKIE[$this->cookieName]);
+            if ($this->isCSRFCookie()) {
+                unset($_COOKIE[$this->cookieName]);
+            } else {
+                // Session based CSRF protection
+                $this->session->remove($this->tokenName);
+            }
         }
 
         $this->generateHash();
@@ -409,13 +450,23 @@ protected function generateHash(): string
             // We don't necessarily want to regenerate it with
             // each page load since a page could contain embedded
             // sub-pages causing this feature to fail
-            if ($this->isHashInCookie()) {
-                return $this->hash = $_COOKIE[$this->cookieName];
+            if ($this->isCSRFCookie()) {
+                if ($this->isHashInCookie()) {
+                    return $this->hash = $_COOKIE[$this->cookieName];
+                }
+            } elseif ($this->session->has($this->tokenName)) {
+                // Session based CSRF protection
+                return $this->hash = $this->session->get($this->tokenName);
             }
 
             $this->hash = bin2hex(random_bytes(16));
 
-            $this->saveHashInCookie();
+            if ($this->isCSRFCookie()) {
+                $this->saveHashInCookie();
+            } else {
+                // Session based CSRF protection
+                $this->saveHashInSession();
+            }
         }
 
         return $this->hash;
@@ -428,7 +479,7 @@ private function isHashInCookie(): bool
         && preg_match('#^[0-9a-f]{32}$#iS', $_COOKIE[$this->cookieName]) === 1;
     }
 
-    private function saveHashInCookie()
+    private function saveHashInCookie(): void
     {
         $this->cookie = new Cookie(
             $this->rawCookieName,
@@ -467,4 +518,9 @@ protected function doSendCookie(): void
     {
         cookies([$this->cookie], false)->dispatch();
     }
+
+    private function saveHashInSession(): void
+    {
+        $this->session->set($this->tokenName, $this->hash);
+    }
 }