20 Mar
2017
20 Mar
'17
11:27 a.m.
Hi, I think I found a problem with how we use CSRF tokens. If a token is discovered by an attacker, and if the user leaves their session open, the attacker can use the token to impersonate the user on every CSRF-protected form during 8 hours (Koha::Token::CSRF_EXPIRY_HOURS). Is this a known issue ? Bug 18124 restricts token to a user's session. Maybe it would be good to restrict to a particular form too. To go further, I think we should have a way to invalidate tokens after their use, so a token can never be used twice. Any thoughts ? -- Julian Maurice <julian.maurice@biblibre.com> BibLibre