Does an anonymous comment/post form need csrf token? If not why does SO use it and how to implement it?

2.5k views Asked by At

There are some discussing like this on SO claiming that csrf protection is not required for anonymous forms. Looking at the stackoverflow html code, when not logged in, you can see the csrf token being set for he answer box when posting as an anonymous user.

  1. How does this csrf token help protecting an anonymous user?
  2. csrf token should be associated with a user session id. What's the equivalent used for an anonymous user? The ip address?
2

There are 2 answers

2
Neil Smithline On

How does this csrf token help protecting an anonymous user?

The rule of thumb is that any state changing operation needs to be protected from CSRF attacks. So if your form is a state changing operation, it should be protected. For example, this answer describes why you need to use CSRF protection on a login form (remember that the user is anonymous when logging in). I've seen anonymous polling forms that you would also want to protect. In the case of the polling forms, the CSRF token is protecting the site's integrity (whatever integrity an anonymous polling site has).

On the other hand, some forms don't need CSRF protection. Obviously forms that are processed in JavaScript and never go to the server don't need CSRF protection. The same is true for forms that perform basic utilities such as language translation forms.

csrf token should be associated with a user session id. What's the equivalent used for an anonymous user? The ip address?

Most web frameworks have stateful sessions for anonymous users. For example, PHP uses the $_SESSION variable. They typically set a cookie in the user's browser to the session ID. You would use the stateful session to store the server-side copy of the CSRF token.

0
SilverlightFox On

It depends on the acceptable risk level of your site.

How does this csrf token help protecting an anonymous user?

The risk is that the anonymous comment will be credited as coming from that particular anonymous user. That is, all the metadata will point to them (IP address, browser, OS, cookies, etc), rather than to the malicious user and site. The only evidence that it was from a CSRF attack would be headers such as Origin and referer.

csrf token should be associated with a user session id. What's the equivalent used for an anonymous user? The ip address?

You can protect your pages in much the same way as you can protect against login CSRF. This is effectively a Double Submit Cookies approach.

So the process is:

  1. HTTP response for the HTML form contains a Set-Cookie: header for a cryptographically secure random token, and the form itself contains a hidden field with the same token.
  2. When the form is submitted, the token in the cookie sent by the browser is compared to the token in the hidden field.

This will prevent a malicious site from submitting the cross domain form and "crediting" it to the browser user because although the malicious site can cause the browser to send the cookie in the token, they can't discover the token value to include in the payload itself (i.e. the hidden field when submitted legitimately).