|
»
« Return to Thread: Horde form tokens
Re: Horde form tokens
by Andrew Morgan
::
Rate this Message:
On Thu, 9 Jul 2009, Chuck Hagenbuch wrote:
> Quoting Andrew Morgan <morgan@...>:
>
>> How does the CSRF work? Maybe if I understood what was happening I could
>> debug it further on my end.
>
> A token is generated for the action being taken (separate tokens for logout,
> compose, etc.). It is stored in the session, and also put into the form data
> for the action. When the action is submitted, the token has to be in the
> user's session and not expired.
>
> The relevant code for your version is in imp/lib/IMP.php, in getRequestToken
> and checkRequestToken.
>
> Looking there now, it looks like the FW3/IMP implementation uses seconds, not
> minutes, so you might check that. HOWEVER - the error message your user is
> getting indicates that the token isn't in their session at all, not that it
> has timed out. That's why I asked about external auth or potential session
> resets.
Okay, I'm checking with the user to see if they are logged out at the time
this error occurs.
Side note - it seems there are 2 token_lifetime config parameters:
$conf['urls']['token_lifetime'] = 240; (in horde's conf.php)
$conf['server']['token_lifetime'] = 1800; (in imp's conf.php)
The horde parameters is specified in minutes and the imp parameter is
specified in seconds.
Do these parameters both serve the same purpose? Should I set them to the
same value (in the appropriate unit of time)? I'm not sure why I
increased the horde value from the default 30 minutes to 240 minutes. Are
other folks using higher values, or should I stick to the defaults?
Thanks,
Andy
--
Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: horde-unsubscribe@...
> Quoting Andrew Morgan <morgan@...>:
>
>> How does the CSRF work? Maybe if I understood what was happening I could
>> debug it further on my end.
>
> A token is generated for the action being taken (separate tokens for logout,
> compose, etc.). It is stored in the session, and also put into the form data
> for the action. When the action is submitted, the token has to be in the
> user's session and not expired.
>
> The relevant code for your version is in imp/lib/IMP.php, in getRequestToken
> and checkRequestToken.
>
> Looking there now, it looks like the FW3/IMP implementation uses seconds, not
> minutes, so you might check that. HOWEVER - the error message your user is
> getting indicates that the token isn't in their session at all, not that it
> has timed out. That's why I asked about external auth or potential session
> resets.
Okay, I'm checking with the user to see if they are logged out at the time
this error occurs.
Side note - it seems there are 2 token_lifetime config parameters:
$conf['urls']['token_lifetime'] = 240; (in horde's conf.php)
$conf['server']['token_lifetime'] = 1800; (in imp's conf.php)
The horde parameters is specified in minutes and the imp parameter is
specified in seconds.
Do these parameters both serve the same purpose? Should I set them to the
same value (in the appropriate unit of time)? I'm not sure why I
increased the horde value from the default 30 minutes to 240 minutes. Are
other folks using higher values, or should I stick to the defaults?
Thanks,
Andy
--
Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: horde-unsubscribe@...
« Return to Thread: Horde form tokens
| Free embeddable forum powered by Nabble | Forum Help |
