Page MenuHomePhabricator
Differential D10136

Make the current session key a component of the CSRF token
ClosedPublic
Actions

Authored by epriestley on Aug 3 2014, 6:56 PM.
Tags
None
Referenced Files
F15519955: D10136.id24405.diff
Sun, Apr 20, 1:35 AM
F15512729: D10136.id24375.diff
Thu, Apr 17, 1:13 PM
F15511447: D10136.id.diff
Thu, Apr 17, 2:29 AM
F15508188: D10136.diff
Wed, Apr 16, 3:01 AM
F15492557: D10136.id24405.diff
Sat, Apr 12, 3:51 PM
F15412764: D10136.diff
Mar 19 2025, 2:47 PM
F15402858: D10136.id24405.diff
Mar 18 2025, 12:42 AM
F15401000: D10136.id24375.diff
Mar 17 2025, 3:09 PM
View All Files
Subscribers
epriestley

Details

Reviewers
btrahan
Maniphest Tasks
T5510: Bind CSRF tokens to a "session core" secret
Commits
Restricted Diffusion Commit
rP42cf7f6faa10: Make the current session key a component of the CSRF token
Summary

Fixes T5510. This purely reduces false positives from HackerOne: we currently rotate CSRF tokens, but do not bind them explicitly to specific sessions. Doing so has no real security benefit and may make some session rotation changes more difficult down the line, but researchers routinely report it. Just conform to expectations since the expected behavior isn't bad and this is less work for us than dealing with false positives.

Test Plan
  • With two browsers logged in under the same user, verified I was issued different CSRF tokens.
  • Verified the token from one browser did not work in the other browser's session.

Diff Detail

Repository
rP Phabricator
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

epriestley updated this revision to Diff 24375.Aug 3 2014, 6:56 PM
epriestley retitled this revision from to Make the current session key a component of the CSRF token.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
epriestley added a task: T5510: Bind CSRF tokens to a "session core" secret.
Herald added a subscriber: epriestley. · View Herald TranscriptAug 3 2014, 6:56 PM
Harbormaster completed remote builds in B2020: Diff 24375.Aug 3 2014, 6:57 PM
btrahan accepted this revision.Aug 4 2014, 6:54 PM
btrahan edited edge metadata.
This revision is now accepted and ready to land.Aug 4 2014, 6:54 PM
epriestley closed this revision.Aug 4 2014, 7:04 PM
epriestley updated this revision to Diff 24405.

Closed by commit rP42cf7f6faa10 (authored by @epriestley).

Revision Contents
Changeset List

PathSize
src/
applications/
auth/
engine/
3 lines
people/
storage/
4 lines

Diff 24405

View Options

src/applications/auth/engine/PhabricatorAuthSessionEngine.php

Loading...
View Options

src/applications/people/storage/PhabricatorUser.php

Loading...
Phabricator · Built by Phacility