Add session management to Web Admin UI to prevent CSRF
|Reported by:||VValdo||Owned by:||somebody|
Description (last modified by VValdo)
Per the thread at http://www.dd-wrt.com/phpBB2/viewtopic.php?t=55173&start=180 , I was asked to add the following:
DD-WRT needs a form of session management to help fight CSRF attacks by tracking session state. This could work as follows:
- Upon successful HTTP authentication, DD-WRT generates a session ID (such as an md5 hash of a salted string generated from the authentication datestamp or login password, for example). The session ID is returned to the browser as a cookie with a built-in expiration period. (which could be altered via the Security tab).
- ALSO-- following successful authorization, all web forms could include a HIDDEN form element containing the session ID (ie, POST method), or it could be included in the URL as &SESSIONID=WHATEVER (ie, GET method). The cookie could also be checked with each connection. In any event, the goal is to track the session across connections.
- Any "trusted" interaction with the Web Interface should verify a valid session ID was passed back to the server. The server should re-ask for authorization to any connection that does not provide the Session ID and refuse access without authorization or the session token.
- The server should invalidate the Session ID token after the expiration period (or a period of inactivity from the user).
Session tokens can be held by the server in memory, database, or a file. Security ramifications should be considered for any method used.