View Issue Details

IDProjectCategoryView StatusLast Update
0003954Composrcorepublic2019-11-15 21:57
ReporterChris GrahamAssigned ToSalman 
Status assignedResolutionopen 
Product Version 
Fixed in Version 
Summary0003954: AJAX session generation / httponly session ID
DescriptionThis issue is to solve a few distinct issues:

1) We cannot have the session ID as httponly as it is used as an ad-hoc CSRF token (getCsrfToken function).
2) CSRF tokens may expire which is poor user experience (for example, a form is opened, a user goes to sleep, and submits it the next day - but the token has expired).
3) Officially passing in session IDs as CSRF tokens has a theoretical security risk imposed if HTML is cached or form parameters are logged (really it's very theoretical as if this is happening, passwords on password forms are getting logged!). Ideally we absolutely minimise the points where a session ID is made visible.

So I'd like:
a) The JS getCsrfToken function to get a new CSRF token from the server using AJAX.
b) JS to detect if the CSRF token is likely stale (based on how long since the page was generated server-side, compared to the configured maximum time for the CSRF token validity), and get a new one via getCsrfToken is needed.
c) Reduce the default value of the csrf_token_expire_fresh option to 0 (as back button situations will now result in the token being refreshed via JS)
d) Reduce the default value of the csrf_token_expire_new option to 1
e) Update the config option descriptions for the above 2 options to reflect the new JS behaviour
f) Make the session ID use a httponly cookie
Additional InformationThere is no known security issue with JS and the server agreeing on a new CSRF token, because the nature of CSRF attacks is they are directed to a POSTed URL and bypass the frontend UI. The attacker cannot generate a CSRF token via AJAX as they wouldn't have the login to generate it against, and they can't make cross-domain browser requests to do it.
TagsRoadmap: v11, Type: Security
Attach Tags
Time estimation (hours)5
Sponsorship open


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-11-15 21:57 Chris Graham New Issue
2019-11-15 21:57 Chris Graham Status non-assigned => assigned
2019-11-15 21:57 Chris Graham Assigned To => Salman
2019-11-15 21:57 Chris Graham Tag Attached: Roadmap: v11
2019-11-15 21:57 Chris Graham Tag Attached: Type: Security