Homec4science
Diffusion Phabricator 42cf7f6faa10

Make the current session key a component of the CSRF token
42cf7f6faa10
Actions

Authored by epriestley <git@epriestley.com> on Aug 4 2014, 21:04.

Description

Make the current session key a component of the CSRF token

Summary: Fixes T5510. This purely reduces false positives from HackerOne: we currently rotate CSRF tokens, but do not bind them explicitly to specific sessions. Doing so has no real security benefit and may make some session rotation changes more difficult down the line, but researchers routinely report it. Just conform to expectations since the expected behavior isn't bad and this is less work for us than dealing with false positives.

Test Plan:

  • With two browsers logged in under the same user, verified I was issued different CSRF tokens.
  • Verified the token from one browser did not work in the other browser's session.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T5510

Differential Revision: https://secure.phabricator.com/D10136

Details

Committed
epriestley <git@epriestley.com>Aug 4 2014, 21:04
Pushed
aubortJan 31 2017, 17:16
Parents
rPH95eeffff7e5d: Terminate other sessions on credential changes
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPH42cf7f6faa10: Make the current session key a component of the CSRF token (authored by epriestley <git@epriestley.com>).Aug 4 2014, 21:04

Changes (2)

Path
Msrc/applications/auth/engine/PhabricatorAuthSessionEngine.php
Msrc/applications/people/storage/PhabricatorUser.php

rPH42cf7f6faa10

View Options

src/applications/auth/engine/PhabricatorAuthSessionEngine.php

Loading...
View Options

src/applications/people/storage/PhabricatorUser.php

Loading...
c4science ยท Help