[Owncloud] CSRF behaviour is annoying

Frank Karlitschek frank at owncloud.org
Fri Sep 14 22:13:54 UTC 2012

This would be the preferred solution from a security point of view.


On 15.09.2012, at 00:06, Bernhard Posselt <nukeawhale at gmail.com> wrote:

> What if there was a built in post request that renews the token?
> On 09/14/2012 11:31 PM, Christian Reiner wrote:
>> Hello Bernhard, 
>>> On Friday 14 September 2012 23:07:35 Bernhard Posselt wrote:
>>> I got my rss reader (news app) open for a long time, basically i use it
>>> like a normal application. After one hour it forces me to reload the
>>> page which is really annoying.
>> that is indeed annoyoing and a problem I ran into as well. It is caused by the 
>> static way the CSRF protection is designed inside owncloud. The problem occurs 
>> at least for all those apps implemented as client side application. With this 
>> I mean applications loading once inside the owncloud framework and working 
>> without requiring a full page reload for every action. 
>> I solved this for my 'Shorty' app by simply refreshing the CSRF token shortly 
>> before it becomes invalid. This strategy works fine for me. I do not think 
>> this refresh strategy is a security thread. Because in the end all other apps 
>> do the same with their frequent full page reloads. 
>> However there is one issue I am not certain yet how to decide: 
>> the problem you mention still occurs even when using that refresh strategy 
>> just mentioned in case you had suspended or hibernated the system and wake it 
>> up again. Since the token could not be refreshed during the down time it might 
>> be invalid now. One two possible solutions: a reload (argh!) or the ajax call 
>> that refreshes the token does _not_ protect itself with the CSRF protection, 
>> so does not require the token itself. Although this appears to open a security 
>> thread on first sight I am not that sure about it: in the end a full page 
>> reload does nothing else...
>>> What about generating the CSRF value for each user and renew it on every
>>> login? So the cookie will still be renewed but without ever bugging the
>>> user.
>> Moving the token into a cookie does not change anything. I assum you mean 
>> something else: Keep the token in a cookie and consider it valid during the 
>> whole session. So as long as that session cookie is valid. 
>> This ignores one of the basic ideas of CSRF: the token being usable only for a 
>> small period of time. So I don't think that is a good idea: there are reasons 
>> to invalidate the tokens after a certain time. The current time span of one 
>> hour is a compromise between convenience and security. The longer that period 
>> gets the more static the character of the page gets from the piont of view of 
>> potential missusing code. 
>> I am glad you brought that problem up. 
>> It is worth being discussed, since the current compromise is indeed annoying. 
>> And annoyed users are a very, very bad thing...
>> So: any comments? ideas? drawbacks? 
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud

More information about the Owncloud mailing list