Blog Documentation Book a Demo
Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Yet one more discussion about Transient Key

businessdadbusinessdad MVP
in Vanilla 2.0 - 2.8

Following @peregrine's questio, I made some experiments using the transient key, and I think I found out something: the key cannot be validated if user is not logged in. If an anonymous user opens a page containing a form, such form will contain a transient key, generated randomly. However, when the user posts back the form, the transient key cannot be validated. Based on my tests, Gdn::Session->ValidateTransientKey() fails because the internal $this->_TransientKey is always false for anonymous users.

I'm now wondering if I'm getting confused, or if this is how the logic is supposed to work. The key should help dealing with CSRF attempts, but it should work also when an anonymous user is posting. This seems to be confirmed by the fact that ValidateTransientKey() accepts a ValidateUser parameter, which determines if the User has to be logged in for the key to be considered valid, but, judging by the way the method works, ValidateUser doesn't seem to make any difference:

   public function ValidateTransientKey($ForeignKey, $ValidateUser = TRUE) {
      if ($ValidateUser && $this->UserID <= 0)
         return FALSE;
      return $ForeignKey == $this->_TransientKey && $this->_TransientKey !== FALSE;
   }

However, the above will always fail if user is not logged in, no matter what:

  • If ValidateUser is TRUE and user is not logged in, then UserID will always be less than zero. Result: false.
  • If ValidateUser is FALSE and user is not logged in, then $this->_TransientKey will always be false. Result: false.

I have the feeling that I'm missing something here...

My shop | About Me

Comments

  • x00x00 MVP

    The key should help dealing with CSRF attempts

    their logic is it related to hijacking of someone else’s session.

    if the specific operation to guest then it is not validated.

    Yes $ValidateUser is some extraneous / surplus code.

    I have the feeling that I'm missing something here...

    Rhetorical question, you can read code fine.

    grep is your friend.

  • businessdadbusinessdad MVP

    @x00 said:
    Rhetorical question, you can read code fine.

    Not really rethorical, I posted at 2:30 AM and my mind was a bit "foggy". :)

    Anyway, I will need to validate guest operations, so I will implement a bit of logic to perform such operation. If there is a will... There is a testament.

    My shop | About Me

Sign In or Register to comment.