Reason for requiring CSRF on login page?
-
Typically CSRF tokens protects users with authenticated sessions from executing single request surreptitiously to change some state of the application (ie update firewall rules) where the request URI parameters are known by a malicious 3rd party. For the login page the user is not authenticated, the request parameters (the user's credential) are not likely to be known, and the single action (logging in) is unlikely to be of value to the attacker.
Having the CSRF token required on the login page does add a minor annoyance in that if you leave the login page open longer than the token life, when you go to actually login you will have to either refresh the page or click the retry button. Minor but unnecessary.
-
Yes.
For a basic reasoning, see https://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests but there are other more detailed examples out there as well.
-
Oh interesting. In my understanding if there was only one user this attack would not be possible and possibly if the user logging in already has the maximum escalated privileges this attack becomes much less useful. I understand that these are likely small enough use cases they would not warrant mitigation for the login page token expiry.
Thanks for the explanation!
