[dev] Token lifetimes (was Re: [imp] EMERG: HORDE Diese Anfrage konnte nicht durchgeführt werden)
Michael M Slusarz
slusarz at horde.org
Mon Nov 4 18:06:59 UTC 2013
Quoting Jan Schneider <jan at horde.org>:
> Zitat von Michael M Slusarz <slusarz at horde.org>:
>
>> From the OWASP white-page on CSRF:
>>
>> "In general, developers need only generate this token once for the
>> current session. After initial generation of this token, the value
>> is stored in the session and is utilized for each subsequent
>> request until the session expires."
>>
>> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
>
> Thanks for looking this up. Makes sense.
What I think we gain from this discussion:
1) Generic Horde_Token tokens used to protect against CSRF attacks
(and generated via Horde_Token#get()), are deprecated. Instead, use
Horde_Session#getToken()/Horde_Session#checkToken().
2) To protect against multiple form submissions, Horde_Token nonces
are still ok. BUT... wondering if we should eventually remove usage
of Horde_Token entirely and simply add nonce generation to the Session
library. That would be one less library to configure/maintain.
I guess Horde_Token *could* be used to store tokens for things like
signup forms, etc. But we aren't using this in the framework
currently, since all of our tokens expire.
michael
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the dev
mailing list