cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Have Cookie-to-Header security token on login form

Keith Poole (Agilis IT) shared this idea 5 years ago
Open Discussion

Ideally someone should not be able to POST to the login processor without going through the form first. A good example of this would be the CloudFlare login: https://www.cloudflare.com/a/login - you'll see this hidden form field:


<input type="hidden" name="security_token" autocomplete="false" value="blahblahblahblahXYZ123">


This is a once off, so if I POST to /a/login without this, I get an "Invalid Security Token" error. This means that any visitors are first subject to the form, and then any [re]CAPTCHA or terms that are on it, and also of course prevents rapid/scripted brute force attacks.


More information can be found here: https://en.wikipedia.org/wiki/Cross-site_request_forgery#Cookie-to-Header_Token


I am aware that there is CSRF tokenisation after the login process to prevent that level of CSRF, and that this Cookie-to-Header token pre-login could not be default due to 3rd party integrations being broken, but it would be of a massive security benefit to be able to enable it if external integrations are compatible.

Leave a Comment
 
Attach a file