[Bug 42924] New: Restore default MaxAge for CSRF token
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42924 Bug ID: 42924 Summary: Restore default MaxAge for CSRF token Initiative type: --- Sponsorship --- status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: minor Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org Target Milestone: --- Bug 17110 lowered the default MaxAge for the CSRF token from 1 week to 8 hours, but that has led to increased usability problems for negligible security gains. I propose to restore the default which is closer to the per-session approach for CSRF tokens which tends to be the default in many web frameworks like Django. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42924 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |dcook@prosentient.com.au |ity.org | Depends on| |17110 See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=42876 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17110 [Bug 17110] Lower CSRF expiry in Koha::Token -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42924 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42924 --- Comment #1 from David Cook <dcook@prosentient.com.au> --- Created attachment 201144 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201144&action=edit Bug 42924: Restore default MaxAge for CSRF token This patch changes the default MaxAge from 8 hours to 168 hours or 7 days due to usability issues encountered from using a short-lived token. See OWASP for more information on why timestamps with expiry are not necessary for CSRF tokens. The MaxAge is a requirement of the WWW::CSRF token used by Koha, so let's just use a longer expiry in lieu of no expiry. Test plan: 0. apply patch 1. prove t/Token.t -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42924 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42924 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42924 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #201144|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42924 --- Comment #2 from Jonathan Druart <jonathan.druart@gmail.com> --- Created attachment 201169 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201169&action=edit Bug 42924: Restore default MaxAge for CSRF token This patch changes the default MaxAge from 8 hours to 168 hours or 7 days due to usability issues encountered from using a short-lived token. See OWASP for more information on why timestamps with expiry are not necessary for CSRF tokens. The MaxAge is a requirement of the WWW::CSRF token used by Koha, so let's just use a longer expiry in lieu of no expiry. Test plan: 0. apply patch 1. prove t/Token.t Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42924 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |m.de.rooy@rijksmuseum.nl |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42924 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- Thanks, Jonathan. Much appreciated! -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org