[Owncloud] CSRF behaviour is annoying

Bernhard Posselt nukeawhale at gmail.com
Fri Sep 14 22:06:00 UTC 2012 

What if there was a built in post request that renews the token?

On 09/14/2012 11:31 PM, Christian Reiner wrote:
> Hello Bernhard, 
>
>> On Friday 14 September 2012 23:07:35 Bernhard Posselt wrote:
>> I got my rss reader (news app) open for a long time, basically i use it
>> like a normal application. After one hour it forces me to reload the
>> page which is really annoying.
> that is indeed annoyoing and a problem I ran into as well. It is caused by the 
> static way the CSRF protection is designed inside owncloud. The problem occurs 
> at least for all those apps implemented as client side application. With this 
> I mean applications loading once inside the owncloud framework and working 
> without requiring a full page reload for every action. 
> I solved this for my 'Shorty' app by simply refreshing the CSRF token shortly 
> before it becomes invalid. This strategy works fine for me. I do not think 
> this refresh strategy is a security thread. Because in the end all other apps 
> do the same with their frequent full page reloads. 
>
> However there is one issue I am not certain yet how to decide: 
> the problem you mention still occurs even when using that refresh strategy 
> just mentioned in case you had suspended or hibernated the system and wake it 
> up again. Since the token could not be refreshed during the down time it might 
> be invalid now. One two possible solutions: a reload (argh!) or the ajax call 
> that refreshes the token does _not_ protect itself with the CSRF protection, 
> so does not require the token itself. Although this appears to open a security 
> thread on first sight I am not that sure about it: in the end a full page 
> reload does nothing else...
>
>> What about generating the CSRF value for each user and renew it on every
>> login? So the cookie will still be renewed but without ever bugging the
>> user.
> Moving the token into a cookie does not change anything. I assum you mean 
> something else: Keep the token in a cookie and consider it valid during the 
> whole session. So as long as that session cookie is valid. 
> This ignores one of the basic ideas of CSRF: the token being usable only for a 
> small period of time. So I don't think that is a good idea: there are reasons 
> to invalidate the tokens after a certain time. The current time span of one 
> hour is a compromise between convenience and security. The longer that period 
> gets the more static the character of the page gets from the piont of view of 
> potential missusing code. 
>
> I am glad you brought that problem up. 
> It is worth being discussed, since the current compromise is indeed annoying. 
> And annoyed users are a very, very bad thing...
>
> So: any comments? ideas? drawbacks? 
>

More information about the Owncloud mailing list