CSRF question: Disable it for logged-in users as well?

[mandrasch]

Hi,

I'm currently exploring craft cms caching (blitz, etc.) in combination with formie forms. I already saw the JS refresh solution via https://verbb.io/craft-plugins/formie/docs/template-guides/cached-forms.

I also saw that enableCsrfValidationForGuests was introduced to disable CSRF for guest users (not logged in):
https://github.com/verbb/formie/releases/tag/1.4.21

My use case is currently that I deal with logged-in users (who only can access the frontend, not craft backend)

Is there a way to disable CSRF check for them as well?

Thanks very much in advance!

Best regards,
Matthias

[engram-design]

The very nature of a CSRF token validation is to protect against authenticated users doing things they shouldn’t.

A good quote from https://security.stackexchange.com/questions/2525/when-should-i-not-use-csrf-protection-for-a-form

As a rule of thumb: If data is modified with the permissions or context of the current user, you need the protection.

That why that config setting exists, as tokens are not really needed generally for things like contact forms by guests.

It entirely depends on the context of your forms, and what action they perform. For example if your form used an Element integration to create entries on form submission - that should be protected.

I’m hesitant to provide such a setting to disable tokens. Particularly because you can disable them at the Craft level, and it’s going to encourage a bad practice where if people can’t get the CSRF token to work for whatever reason. They just doable it opening up a security concern.

[mandrasch]

Hi @engram-design,

thanks very much for the detailed insights, very much appreciated! 🙏

Understand it better now, thanks.

Best regards,
Matthias