Cphalcon: [NFR]: Don't change the CSRF token on every request

Created on 24 Sep 2019  路  8Comments  路  Source: phalcon/cphalcon

Is your feature request related to a problem? Please describe.
Sessions do not change in some cases, but the CSRF token does change somehow. There should be an option to avoid this token from changing on every single request to prevent writes to the session store.

Describe the solution you'd like
There should be a manual option to 'disable automatic regeneration' of the CSRF token. After this, to get a new CSRF token, someone ought to trigger a function to refresh it.

Describe alternatives you've considered
None

Additional context
DynamoDB is a NoSQL store that plays a major role in the dominant position of AWS. As it can asynchronously replicate itself across multiple data centers and can store an infinite amount of data, it is the go to choice for many companies to use as session store or cache.

DynamoDB gets priced by means of reads / writes provisioning. If unnecessary writes can be avoided, it can drastically reduce the price of such services. In order for Phalcon to be viable for services that have thousands of simultaneous users, this behavior ought to be changed.

Because of this, there should be an option to refresh the CSRF token manually, to avoid writes to DynamoDB when no data in the session has changed.

new feature request
Source
picture harm-smits

Most helpful comment

What also could be a possibility, is that you always generate a CSRF token when a session could not be found, but have the ability to manually trigger the refresh:

$this->security->csrfRefresh();

And just allow people to set this behavior as follows:

new Security([
   'autoCsrfRefresh' => false
]);
picture harm-smits on 25 Sep 2019
👍2

All 8 comments

Yes, I agree. It would be convenient if the CSRF token worked without a session

ekmst picture ekmst on 24 Sep 2019

@ekmst Without session it wil be hard. You need to write at least once.

ruudboon picture ruudboon on 24 Sep 2019

@ruudboon Can we try to implement this using a secret key and HMAC?

ekmst picture ekmst on 24 Sep 2019
👍1

@ekmst we could investigate something like that. Sounds like a new feature request and not directly related to this issue.

ruudboon picture ruudboon on 24 Sep 2019

What also could be a possibility, is that you always generate a CSRF token when a session could not be found, but have the ability to manually trigger the refresh:

$this->security->csrfRefresh();

And just allow people to set this behavior as follows:

new Security([
   'autoCsrfRefresh' => false
]);
harm-smits picture harm-smits on 25 Sep 2019
👍2

@v00v Please create a separate issue for this and let's keep this one only about the refreshing.

ruudboon picture ruudboon on 25 Sep 2019

@ruudboon No problem. I removed it, Ignore it please.

v00v picture v00v on 25 Sep 2019

Closing this: Please vote for this feature here: #14608

ruudboon picture ruudboon on 18 Dec 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

alvassin picture alvassin  路  3Comments
FairPrice picture FairPrice  路  4Comments
richmilns picture richmilns  路  3Comments
fonqing picture fonqing  路  3Comments
TimurFlush picture TimurFlush  路  3Comments