[horde] Horde form tokens
Chuck Hagenbuch
chuck at horde.org
Thu Jul 9 05:21:18 UTC 2009
Quoting Andrew Morgan <morgan at orst.edu>:
> How does the CSRF work? Maybe if I understood what was happening I
> could debug it further on my end.
A token is generated for the action being taken (separate tokens for
logout, compose, etc.). It is stored in the session, and also put into
the form data for the action. When the action is submitted, the token
has to be in the user's session and not expired.
The relevant code for your version is in imp/lib/IMP.php, in
getRequestToken and checkRequestToken.
Looking there now, it looks like the FW3/IMP implementation uses
seconds, not minutes, so you might check that. HOWEVER - the error
message your user is getting indicates that the token isn't in their
session at all, not that it has timed out. That's why I asked about
external auth or potential session resets.
-chuck
More information about the horde
mailing list