[Owncloud] CSRF behaviour is annoying

Bernhard Posselt nukeawhale at gmail.com
Mon Oct 1 17:11:00 UTC 2012 

Thank you a lot for implementing this. Ive tried it out and i dont get
the error any more when using the news application :)

On 09/30/2012 08:47 PM, Christian Reiner wrote:
> Hello Bernhard, hello list, 
>
>> On 09/14/2012 11:31 PM, Christian Reiner wrote:
>>> Hello Bernhard,
>>>
>>>> On Friday 14 September 2012 23:07:35 Bernhard Posselt wrote:
>>>> I got my rss reader (news app) open for a long time, basically i use it
>>>> like a normal application. After one hour it forces me to reload the
>>>> page which is really annoying.
>>> that is indeed annoyoing and a problem I ran into as well. It is caused by
>>> the static way the CSRF protection is designed inside owncloud. The
>>> problem occurs at least for all those apps implemented as client side
>>> application. With this I mean applications loading once inside the
>>> owncloud framework and working without requiring a full page reload for
>>> every action.
>>> I solved this for my 'Shorty' app by simply refreshing the CSRF token
>>> shortly before it becomes invalid. This strategy works fine for me. I do
>>> not think this refresh strategy is a security thread. Because in the end
>>> all other apps do the same with their frequent full page reloads.
>>>
>>> However there is one issue I am not certain yet how to decide:
>>> the problem you mention still occurs even when using that refresh strategy
>>> just mentioned in case you had suspended or hibernated the system and wake
>>> it up again. Since the token could not be refreshed during the down time
>>> it might be invalid now. One two possible solutions: a reload (argh!) or
>>> the ajax call that refreshes the token does _not_ protect itself with the
>>> CSRF protection, so does not require the token itself. Although this
>>> appears to open a security thread on first sight I am not that sure about
>>> it: in the end a full page reload does nothing else...
>>>
>>>> What about generating the CSRF value for each user and renew it on every
>>>> login? So the cookie will still be renewed but without ever bugging the
>>>> user.
>>> Moving the token into a cookie does not change anything. I assum you mean
>>> something else: Keep the token in a cookie and consider it valid during
>>> the
>>> whole session. So as long as that session cookie is valid.
>>> This ignores one of the basic ideas of CSRF: the token being usable only
>>> for a small period of time. So I don't think that is a good idea: there
>>> are reasons to invalidate the tokens after a certain time. The current
>>> time span of one hour is a compromise between convenience and security.
>>> The longer that period gets the more static the character of the page
>>> gets from the piont of view of potential missusing code.
>>>
>>> I am glad you brought that problem up.
>>> It is worth being discussed, since the current compromise is indeed
>>> annoying. And annoyed users are a very, very bad thing...
>>>
>>> So: any comments? ideas? drawbacks?
> On Saturday 15 September 2012 00:06:00 Bernhard Posselt wrote:
>> What if there was a built in post request that renews the token?
> Ok. implemented and merged in OC core on 2012-09-28: 
> https://github.com/owncloud/core/commit/cfc98398120065d33659f36573f81bcea9a3e97d
> The change will be part of ownCloud version 4.5. Maybe you can give it a short 
> try and check if your problem is solved? Thanks!
>

More information about the Owncloud mailing list