mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-25 15:00:58 +01:00
Make the current session key a component of the CSRF token
Summary: Fixes T5510. This purely reduces false positives from HackerOne: we currently rotate CSRF tokens, but do not bind them explicitly to specific sessions. Doing so has no real security benefit and may make some session rotation changes more difficult down the line, but researchers routinely report it. Just conform to expectations since the expected behavior isn't bad and this is less work for us than dealing with false positives. Test Plan: - With two browsers logged in under the same user, verified I was issued different CSRF tokens. - Verified the token from one browser did not work in the other browser's session. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T5510 Differential Revision: https://secure.phabricator.com/D10136
This commit is contained in:
parent
95eeffff7e
commit
42cf7f6faa
2 changed files with 7 additions and 0 deletions
|
@ -165,6 +165,9 @@ final class PhabricatorAuthSessionEngine extends Phobject {
|
||||||
// TTL back up to the full duration. The idea here is that sessions are
|
// TTL back up to the full duration. The idea here is that sessions are
|
||||||
// good forever if used regularly, but get GC'd when they fall out of use.
|
// good forever if used regularly, but get GC'd when they fall out of use.
|
||||||
|
|
||||||
|
// NOTE: If we begin rotating session keys when extending sessions, the
|
||||||
|
// CSRF code needs to be updated so CSRF tokens survive session rotation.
|
||||||
|
|
||||||
if (time() + (0.80 * $ttl) > $session->getSessionExpires()) {
|
if (time() + (0.80 * $ttl) > $session->getSessionExpires()) {
|
||||||
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
|
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
|
||||||
$conn_w = $session_table->establishConnection('w');
|
$conn_w = $session_table->establishConnection('w');
|
||||||
|
|
|
@ -339,6 +339,10 @@ final class PhabricatorUser
|
||||||
$vec = $this->getAlternateCSRFString();
|
$vec = $this->getAlternateCSRFString();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ($this->hasSession()) {
|
||||||
|
$vec = $vec.$this->getSession()->getSessionKey();
|
||||||
|
}
|
||||||
|
|
||||||
$time_block = floor($epoch / $frequency);
|
$time_block = floor($epoch / $frequency);
|
||||||
$vec = $vec.$key.$time_block;
|
$vec = $vec.$key.$time_block;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue