Page MenuHomePhabricator

Make the current session key a component of the CSRF token
ClosedPublic

Authored by epriestley on Aug 3 2014, 6:56 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, May 25, 12:32 PM
Unknown Object (File)
Tue, May 20, 10:00 AM
Unknown Object (File)
Mon, May 19, 2:29 AM
Unknown Object (File)
Sun, May 18, 3:12 AM
Unknown Object (File)
Apr 20 2025, 1:35 AM
Unknown Object (File)
Apr 17 2025, 1:13 PM
Unknown Object (File)
Apr 17 2025, 2:29 AM
Unknown Object (File)
Apr 16 2025, 3:01 AM
Subscribers

Details

Summary

Fixes T5510. This purely reduces false positives from HackerOne: we currently rotate CSRF tokens, but do not bind them explicitly to specific sessions. Doing so has no real security benefit and may make some session rotation changes more difficult down the line, but researchers routinely report it. Just conform to expectations since the expected behavior isn't bad and this is less work for us than dealing with false positives.

Test Plan
  • With two browsers logged in under the same user, verified I was issued different CSRF tokens.
  • Verified the token from one browser did not work in the other browser's session.

Diff Detail

Repository
rP Phabricator
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

epriestley retitled this revision from to Make the current session key a component of the CSRF token.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
btrahan edited edge metadata.
This revision is now accepted and ready to land.Aug 4 2014, 6:54 PM
epriestley updated this revision to Diff 24405.

Closed by commit rP42cf7f6faa10 (authored by @epriestley).