1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-23 15:22:41 +01:00
No description
Find a file
epriestley 15ef2fced0 Fix conservative CSRF token cycling limit
Summary:
We currently cycle CSRF tokens every hour and check for the last two valid ones.
This means that a form could go stale in as little as an hour, and is certainly
stale after two.

When a stale form is submitted, you basically get a terrible heisen-state where
some of your data might persist if you're lucky but more likely it all just
vanishes. The .js file below outlines some more details.

This is a pretty terrible UX and we don't need to be as conservative about CSRF
validation as we're being. Remedy this problem by:

  - Accepting the last 6 CSRF tokens instead of the last 1 (i.e., pages are
valid for at least 6 hours, and for as long as 7).
  - Using JS to refresh the CSRF token every 55 minutes (i.e., pages connected
to the internet are valid indefinitely).
  - Showing the user an explicit message about what went wrong when CSRF
validation fails so the experience is less bewildering.

They should now only be able to submit with a bad CSRF token if:

  - They load a page, disconnect from the internet for 7 hours, reconnect, and
submit the form within 55 minutes; or
  - They are actually the victim of a CSRF attack.

We could eventually fix the first one by tracking reconnects, which might be
"free" once the notification server gets built. It will probably never be an
issue in practice.

Test Plan:
  - Reduced CSRF cycle frequency to 2 seconds, submitted a form after 15
seconds, got the CSRF exception.
  - Reduced csrf-refresh cycle frequency to 3 seconds, submitted a form after 15
seconds, got a clean form post.
  - Added debugging code the the csrf refresh to make sure it was doing sensible
things (pulling different tokens, finding all the inputs).

Reviewed By: aran
Reviewers: tuomaspelkonen, jungejason, aran
CC: aran, epriestley
Differential Revision: 660
2011-07-14 08:09:40 -07:00
bin Improve CLI script for account creation and document account/reg setup process 2011-05-12 18:44:53 -07:00
conf Provide a public view of feed 2011-07-11 12:51:59 -07:00
externals Update externals/javelin to HEAD for the JX.Vector.getPos() fix. 2011-07-05 14:07:28 -07:00
resources Add Phriction to the main nav menu 2011-07-12 09:26:51 -07:00
scripts Script to selectively convert MyISAM tables to InnoDB 2011-07-11 11:42:28 -07:00
src Fix conservative CSRF token cycling limit 2011-07-14 08:09:40 -07:00
support/aphlict Aphlict, simple notification server 2011-05-17 10:32:41 -07:00
webroot Fix conservative CSRF token cycling limit 2011-07-14 08:09:40 -07:00
.arcconfig Bring Javelin into Phabricator via git submodule, not copy-and-paste 2011-05-08 13:20:10 -07:00
.divinerconfig Document the N+1 problem and DarkConsole 2011-07-08 23:42:48 -07:00
.gitignore Gitignore additions 2011-06-10 12:59:15 -04:00
.gitmodules Just change the location. 2011-05-28 15:14:54 -07:00
CHANGELOG Allow Maniphest tasks to be filtered by Project 2011-06-29 21:56:47 -07:00
README Add a roadmap document and update the README. 2011-06-29 09:38:03 -07:00

Phabricator is a open source collection of web applications which make it easier
to write, review, and share source code. Phabricator was developed at Facebook.

This is an early release. It's pretty high-quality and usable, but under
active development so things may change quickly.

You can learn more about the project and find links to documentation and
resources at: http://phabricator.org/

LICENSE

Phabricator is released under the Apache 2.0 license except as otherwise noted.
http://www.apache.org/licenses/LICENSE-2.0