[Koha-bugs] [Bug 17110] Lower CSRF expiry in Koha::Token
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Aug 23 14:43:08 CEST 2016
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17110
--- Comment #9 from Marcel de Rooy <m.de.rooy at rijksmuseum.nl> ---
(In reply to Jonathan Druart from comment #8)
> Could you please detail why you need this change?
> I will break the following use case:
> - Start to fill a form
> - *Ring belt end of the day*
> - you hurry up to get back at home quickly
> - Tomorrow morning, you finish to fill the form
> - Submit
> - You lost your changes
>
> Ok it's a bit far-fetched but I don't understand what will bring us this
> 8-hours limitation.
You only need the token between loading the form and submitting it. I do not
understand why you need 7 days for doing so?
Suppose an attacker got a CSRF token somehow from one user. Now he only needs
that user to click on a malicious Koha URL that also sends the token. The
amount of danger is obviously directly related to the length of the expiry
period. Shorter is better, but should be balanced with ease of use.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list