[Koha-devel] CSRF token problem ?

[Julian Maurice]

Hi,

I think I found a problem with how we use CSRF tokens.
If a token is discovered by an attacker, and if the user leaves their 
session open, the attacker can use the token to impersonate the user on 
every CSRF-protected form during 8 hours (Koha::Token::CSRF_EXPIRY_HOURS).

Is this a known issue ?

Bug 18124 restricts token to a user's session. Maybe it would be good to 
restrict to a particular form too.
To go further, I think we should have a way to invalidate tokens after 
their use, so a token can never be used twice.

Any thoughts ?

-- 
Julian Maurice <julian.maurice at biblibre.com>
BibLibre