[Owncloud] CSRF behaviour is annoying
Christian Reiner
foss at christian-reiner.info
Fri Sep 14 21:31:17 UTC 2012
Hello Bernhard,
> On Friday 14 September 2012 23:07:35 Bernhard Posselt wrote:
> I got my rss reader (news app) open for a long time, basically i use it
> like a normal application. After one hour it forces me to reload the
> page which is really annoying.
that is indeed annoyoing and a problem I ran into as well. It is caused by the
static way the CSRF protection is designed inside owncloud. The problem occurs
at least for all those apps implemented as client side application. With this
I mean applications loading once inside the owncloud framework and working
without requiring a full page reload for every action.
I solved this for my 'Shorty' app by simply refreshing the CSRF token shortly
before it becomes invalid. This strategy works fine for me. I do not think
this refresh strategy is a security thread. Because in the end all other apps
do the same with their frequent full page reloads.
However there is one issue I am not certain yet how to decide:
the problem you mention still occurs even when using that refresh strategy
just mentioned in case you had suspended or hibernated the system and wake it
up again. Since the token could not be refreshed during the down time it might
be invalid now. One two possible solutions: a reload (argh!) or the ajax call
that refreshes the token does _not_ protect itself with the CSRF protection,
so does not require the token itself. Although this appears to open a security
thread on first sight I am not that sure about it: in the end a full page
reload does nothing else...
> What about generating the CSRF value for each user and renew it on every
> login? So the cookie will still be renewed but without ever bugging the
> user.
Moving the token into a cookie does not change anything. I assum you mean
something else: Keep the token in a cookie and consider it valid during the
whole session. So as long as that session cookie is valid.
This ignores one of the basic ideas of CSRF: the token being usable only for a
small period of time. So I don't think that is a good idea: there are reasons
to invalidate the tokens after a certain time. The current time span of one
hour is a compromise between convenience and security. The longer that period
gets the more static the character of the page gets from the piont of view of
potential missusing code.
I am glad you brought that problem up.
It is worth being discussed, since the current compromise is indeed annoying.
And annoyed users are a very, very bad thing...
So: any comments? ideas? drawbacks?
--
Christian Reiner (arkascha)
[ foss at christian-reiner.info ]
More information about the Owncloud
mailing list