[Owncloud] CSRF behaviour is annoying
nukeawhale at gmail.com
Fri Sep 14 22:06:00 UTC 2012
What if there was a built in post request that renews the token?
On 09/14/2012 11:31 PM, Christian Reiner wrote:
> Hello Bernhard,
>> On Friday 14 September 2012 23:07:35 Bernhard Posselt wrote:
>> I got my rss reader (news app) open for a long time, basically i use it
>> like a normal application. After one hour it forces me to reload the
>> page which is really annoying.
> that is indeed annoyoing and a problem I ran into as well. It is caused by the
> static way the CSRF protection is designed inside owncloud. The problem occurs
> at least for all those apps implemented as client side application. With this
> I mean applications loading once inside the owncloud framework and working
> without requiring a full page reload for every action.
> I solved this for my 'Shorty' app by simply refreshing the CSRF token shortly
> before it becomes invalid. This strategy works fine for me. I do not think
> this refresh strategy is a security thread. Because in the end all other apps
> do the same with their frequent full page reloads.
> However there is one issue I am not certain yet how to decide:
> the problem you mention still occurs even when using that refresh strategy
> just mentioned in case you had suspended or hibernated the system and wake it
> up again. Since the token could not be refreshed during the down time it might
> be invalid now. One two possible solutions: a reload (argh!) or the ajax call
> that refreshes the token does _not_ protect itself with the CSRF protection,
> so does not require the token itself. Although this appears to open a security
> thread on first sight I am not that sure about it: in the end a full page
> reload does nothing else...
>> What about generating the CSRF value for each user and renew it on every
>> login? So the cookie will still be renewed but without ever bugging the
> Moving the token into a cookie does not change anything. I assum you mean
> something else: Keep the token in a cookie and consider it valid during the
> whole session. So as long as that session cookie is valid.
> This ignores one of the basic ideas of CSRF: the token being usable only for a
> small period of time. So I don't think that is a good idea: there are reasons
> to invalidate the tokens after a certain time. The current time span of one
> hour is a compromise between convenience and security. The longer that period
> gets the more static the character of the page gets from the piont of view of
> potential missusing code.
> I am glad you brought that problem up.
> It is worth being discussed, since the current compromise is indeed annoying.
> And annoyed users are a very, very bad thing...
> So: any comments? ideas? drawbacks?
More information about the Owncloud