Paper Lantern for cPanel accounts is being retired this year. Find out more »
cPanel & WHM Version 102 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Have Cookie-to-Header security token on login form

Keith Poole (Agilis IT) shared this idea 5 years ago
Open Discussion

Ideally someone should not be able to POST to the login processor without going through the form first. A good example of this would be the CloudFlare login: - you'll see this hidden form field:

<input type="hidden" name="security_token" autocomplete="false" value="blahblahblahblahXYZ123">

This is a once off, so if I POST to /a/login without this, I get an "Invalid Security Token" error. This means that any visitors are first subject to the form, and then any [re]CAPTCHA or terms that are on it, and also of course prevents rapid/scripted brute force attacks.

More information can be found here:

I am aware that there is CSRF tokenisation after the login process to prevent that level of CSRF, and that this Cookie-to-Header token pre-login could not be default due to 3rd party integrations being broken, but it would be of a massive security benefit to be able to enable it if external integrations are compatible.

Leave a Comment
Attach a file