yesbabyyes / express-csrf Goto Github PK

I think it would be useful for others to read this post about CSRF and AJAX: http://erlend.oftedal.no/blog/?blogid=118

This kind of projection would have to be added manually depending on the structure of the application, but it would be helpful to point people in the right direction in the readme for this module. Also, it would be nice to support CSRF tokens in the headers.

Please, push last changes to npm.

Thanks

When installing it just as the instructions said, I got the following error:

500 TypeError: Cannot read property 'lastAccess' of undefined
at HTTPServer. (/[projname]/node_modules/express-csrf/lib/index.js:21:83)
blah blah blah.

It appears that the library expects request session object to have a lastAccess property, but it doesn't exist. Looking at the request object, I can't seem to find any substitute.

Here are the modules I'm using:

├─┬ [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ └── [email protected]
├── [email protected] extraneous
├── [email protected]
├─┬ [email protected] extraneous
│ ├── [email protected]
│ ├── [email protected]
│ └── [email protected]
└── [email protected] extraneous

Error:
500 TypeError: Cannot use 'in' operator to search for 'csrf' in undefined

Any ideas about compatibility with connect-form?

was just looking at the code after i recommended this to someone in #node.js, you next(err) after responding which is generally bad practice with connect middleware since the error handling middleware may decide (and usually do) respond

The way you generate the token is just wrong from an information theory perspective. What you want is a random token that would be very hard to guess. You instead generate a token which seems random but is actually quite simple to guess. You use the current time and the last access time to generate the hash. The times are in milliseconds, and are usually the same exact time! (or differing in a few milliseconds) If the user has logged in within the past 10 minutes, that means there are only 1000_60_10=600,000 combinations to try to guess the csrf token. This isn't much these days, any attacker could do it. And if the user has logged in within the past minute, it's only 60,000 guesses. This is much lower than the 2^128 guesses implied by having a 128-bit token.

I would fix it, but connect (which express uses) has its own CORRECT implementation of csrf here: http://senchalabs.github.com/connect/middleware-csrf.html

I think you should direct people to connect's csrf implementation as it's already included in express.