Invalidate CSRF token

[kumarmugu]

Hi
I am using krakenJS and enabled CSRF. Currently I am able to reuse the generated csrf token in one page to another page(With in the user session only)

I don't want to reuse the token even within the user session. Can I invalidate the token somehow?

Is there anyway to do it lusca?

Thanks in advance

K.Mugunthan.

[aredridel]

That sounds a bit like you're trying to do more than mitigate a CSRF attack with it.

What are you trying to do?

[jasisk]

With the default token implementation, there is no way to first-class mechanism to invalidate the token. Invalidated only at the terminus of the session is sufficient as far as OWASP is concerned.

You could certainly provide your own token implementation (using the impl property of the options you pass to lusca.csrf—see the default implementation for the required signature) and make a nonce which you also store in their session as part of the data that is used to generate the token (should probably use an HMAC at that point).

[kumarmugu]

@aredridel I will try to explain my requirement with small example. I have two pages 1. user edit page, 2. offers edit page.

I should allow to use the token which is generated for user edit page in offer edit page.

@jasisk Thanks for your quick response. I have go through the default token.js and wrote the customized token file. I placed it in the /lib/csrfToken.js.

Now I am struggling to configure my implementation function. Can you please help me?

I want to supply implementation function in the argument.
My application csrf configuration as follows:

"csrf": {
  "enabled": true,
  "priority": 111,
  "route": "/((?!api))*",
  "module": {
    "name": "lusca",
    "method": "csrf",
    "arguments": [ {"impl": Function} ]
  }
}

Thanks in advance

[kumarmugu]

Hi @jasisk

I Have specified my application configuration below.

"csrf": {
      "enabled": true,
      "priority": 111,
      "route": "/((?!api))*",
      "module": {
        "name": "lusca",
        "method": "csrf",
        "arguments": [ {"impl":"path:./lib/csrfToken"} ]
      }
    }

And I have changed Line 26th of https://github.com/krakenjs/lusca/blob/master/lib/csrf.js as follows.
And it is picking my custom token generation function.

impl = require(options.impl) || token;

Is there any way to call my function without modifying lusca code.

Thanks.

[aredridel]

So why does this require invalidating the token, if both pages should use the same one?

[kumarmugu]

Really sorry. It's a typo. I should not allow.

Thanks.

[aredridel]

Ah, okay. That makes more sense. It doesn't really answer why though -- what are you trying to prevent? Sounds like more than CSRF attacks that you're trying to prevent.