[Owncloud] CSRF behaviour is annoying

Christian Reiner foss at christian-reiner.info
Sun Sep 30 18:47:15 UTC 2012

Hello Bernhard, hello list, 

> On 09/14/2012 11:31 PM, Christian Reiner wrote:
> > Hello Bernhard,
> > 
> >> On Friday 14 September 2012 23:07:35 Bernhard Posselt wrote:
> >> I got my rss reader (news app) open for a long time, basically i use it
> >> like a normal application. After one hour it forces me to reload the
> >> page which is really annoying.
> > 
> > that is indeed annoyoing and a problem I ran into as well. It is caused by
> > the static way the CSRF protection is designed inside owncloud. The
> > problem occurs at least for all those apps implemented as client side
> > application. With this I mean applications loading once inside the
> > owncloud framework and working without requiring a full page reload for
> > every action.
> > I solved this for my 'Shorty' app by simply refreshing the CSRF token
> > shortly before it becomes invalid. This strategy works fine for me. I do
> > not think this refresh strategy is a security thread. Because in the end
> > all other apps do the same with their frequent full page reloads.
> > 
> > However there is one issue I am not certain yet how to decide:
> > the problem you mention still occurs even when using that refresh strategy
> > just mentioned in case you had suspended or hibernated the system and wake
> > it up again. Since the token could not be refreshed during the down time
> > it might be invalid now. One two possible solutions: a reload (argh!) or
> > the ajax call that refreshes the token does _not_ protect itself with the
> > CSRF protection, so does not require the token itself. Although this
> > appears to open a security thread on first sight I am not that sure about
> > it: in the end a full page reload does nothing else...
> > 
> >> What about generating the CSRF value for each user and renew it on every
> >> login? So the cookie will still be renewed but without ever bugging the
> >> user.
> > 
> > Moving the token into a cookie does not change anything. I assum you mean
> > something else: Keep the token in a cookie and consider it valid during
> > the
> > whole session. So as long as that session cookie is valid.
> > This ignores one of the basic ideas of CSRF: the token being usable only
> > for a small period of time. So I don't think that is a good idea: there
> > are reasons to invalidate the tokens after a certain time. The current
> > time span of one hour is a compromise between convenience and security.
> > The longer that period gets the more static the character of the page
> > gets from the piont of view of potential missusing code.
> > 
> > I am glad you brought that problem up.
> > It is worth being discussed, since the current compromise is indeed
> > annoying. And annoyed users are a very, very bad thing...
> > 
> > So: any comments? ideas? drawbacks?

On Saturday 15 September 2012 00:06:00 Bernhard Posselt wrote:
> What if there was a built in post request that renews the token?

Ok. implemented and merged in OC core on 2012-09-28: 
The change will be part of ownCloud version 4.5. Maybe you can give it a short 
try and check if your problem is solved? Thanks!

Christian Reiner (arkascha)
[ foss at christian-reiner.info ]

More information about the Owncloud mailing list