Our features site is undergoing a refresh! Be sure to explore the revamped site and discover our latest product roadmap launching here on Monday, March 18th.
New Topic
cPanel & WHM Feature RequestsTopicSecurity
Properties
Category Security
Tags login

Have Cookie-to-Header security token on login form

Keith Poole (Agilis IT) shared this idea 8 years ago
Open Discussion

Ideally someone should not be able to POST to the login processor without going through the form first. A good example of this would be the CloudFlare login: https://www.cloudflare.com/a/login - you'll see this hidden form field:


<input type="hidden" name="security_token" autocomplete="false" value="blahblahblahblahXYZ123">


This is a once off, so if I POST to /a/login without this, I get an "Invalid Security Token" error. This means that any visitors are first subject to the form, and then any [re]CAPTCHA or terms that are on it, and also of course prevents rapid/scripted brute force attacks.


More information can be found here: https://en.wikipedia.org/wiki/Cross-site_request_forgery#Cookie-to-Header_Token


I am aware that there is CSRF tokenisation after the login process to prevent that level of CSRF, and that this Cookie-to-Header token pre-login could not be default due to 3rd party integrations being broken, but it would be of a massive security benefit to be able to enable it if external integrations are compatible.

1 I like this idea 0  
Leave a Comment
 
Attach a file

cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.