[Owncloud] CSRF behaviour is annoying

Christian Reiner foss at christian-reiner.info
Fri Sep 14 21:31:17 UTC 2012

Hello Bernhard, 

> On Friday 14 September 2012 23:07:35 Bernhard Posselt wrote:
> I got my rss reader (news app) open for a long time, basically i use it
> like a normal application. After one hour it forces me to reload the
> page which is really annoying.

that is indeed annoyoing and a problem I ran into as well. It is caused by the 
static way the CSRF protection is designed inside owncloud. The problem occurs 
at least for all those apps implemented as client side application. With this 
I mean applications loading once inside the owncloud framework and working 
without requiring a full page reload for every action. 
I solved this for my 'Shorty' app by simply refreshing the CSRF token shortly 
before it becomes invalid. This strategy works fine for me. I do not think 
this refresh strategy is a security thread. Because in the end all other apps 
do the same with their frequent full page reloads. 

However there is one issue I am not certain yet how to decide: 
the problem you mention still occurs even when using that refresh strategy 
just mentioned in case you had suspended or hibernated the system and wake it 
up again. Since the token could not be refreshed during the down time it might 
be invalid now. One two possible solutions: a reload (argh!) or the ajax call 
that refreshes the token does _not_ protect itself with the CSRF protection, 
so does not require the token itself. Although this appears to open a security 
thread on first sight I am not that sure about it: in the end a full page 
reload does nothing else...

> What about generating the CSRF value for each user and renew it on every
> login? So the cookie will still be renewed but without ever bugging the
> user.

Moving the token into a cookie does not change anything. I assum you mean 
something else: Keep the token in a cookie and consider it valid during the 
whole session. So as long as that session cookie is valid. 
This ignores one of the basic ideas of CSRF: the token being usable only for a 
small period of time. So I don't think that is a good idea: there are reasons 
to invalidate the tokens after a certain time. The current time span of one 
hour is a compromise between convenience and security. The longer that period 
gets the more static the character of the page gets from the piont of view of 
potential missusing code. 

I am glad you brought that problem up. 
It is worth being discussed, since the current compromise is indeed annoying. 
And annoyed users are a very, very bad thing...

So: any comments? ideas? drawbacks? 

Christian Reiner (arkascha)
[ foss at christian-reiner.info ]

More information about the Owncloud mailing list