View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0003954 | Composr | core | public | 2019-11-15 21:57 | 2021-03-13 19:28 |
| Reporter | Chris Graham | Assigned To | Salman | ||
| Severity | Feature-request | ||||
| Status | resolved | Resolution | fixed | ||
| Product Version | |||||
| Fixed in Version | |||||
| Summary | 0003954: AJAX session generation / httponly session ID | ||||
| Description | This issue is to solve a few distinct issues: 1) We cannot have the session ID as httponly as it is used as an ad-hoc CSRF token (getCsrfToken function). 2) CSRF tokens may expire which is poor user experience (for example, a form is opened, a user goes to sleep, and submits it the next day - but the token has expired). 3) Officially passing in session IDs as CSRF tokens has a theoretical security risk imposed if HTML is cached or form parameters are logged (really it's very theoretical as if this is happening, passwords on password forms are getting logged!). Ideally we absolutely minimise the points where a session ID is made visible. So I'd like: a) The JS getCsrfToken function to get a new CSRF token from the server using AJAX. b) JS to detect if the CSRF token is likely stale (based on how long since the page was generated server-side, compared to the configured maximum time for the CSRF token validity), and get a new one via getCsrfToken is needed. c) Reduce the default value of the csrf_token_expire_fresh option to 0 (as back button situations will now result in the token being refreshed via JS) d) Reduce the default value of the csrf_token_expire_new option to 1 e) Update the config option descriptions for the above 2 options to reflect the new JS behaviour f) Make the session ID use a httponly cookie | ||||
| Additional Information | There is no known security issue with JS and the server agreeing on a new CSRF token, because the nature of CSRF attacks is they are directed to a POSTed URL and bypass the frontend UI. The attacker cannot generate a CSRF token via AJAX as they wouldn't have the login to generate it against, and they can't make cross-domain browser requests to do it. | ||||
| Tags | Roadmap: v11, Type: Security | ||||
| Time estimation (hours) | 5 | ||||
| Sponsorship open | |||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2019-11-15 21:57 | Chris Graham | New Issue | |
| 2019-11-15 21:57 | Chris Graham | Status | non-assigned => assigned |
| 2019-11-15 21:57 | Chris Graham | Assigned To | => Salman |
| 2019-11-15 21:57 | Chris Graham | Tag Attached: Roadmap: v11 | |
| 2019-11-15 21:57 | Chris Graham | Tag Attached: Type: Security | |
| 2021-03-13 19:28 | Chris Graham | Status | assigned => resolved |
| 2021-03-13 19:28 | Chris Graham | Resolution | open => fixed |
