Page MenuHomePhabricator
Differential D10136

Make the current session key a component of the CSRF token
ClosedPublic
Actions

Authored by epriestley on Aug 3 2014, 6:56 PM.
Tags
None
Referenced Files
F15412764: D10136.diff
Wed, Mar 19, 2:47 PM
F15402858: D10136.id24405.diff
Tue, Mar 18, 12:42 AM
F15401000: D10136.id24375.diff
Mon, Mar 17, 3:09 PM
F15399225: D10136.id.diff
Mon, Mar 17, 3:25 AM
F15395228: D10136.diff
Sun, Mar 16, 4:00 AM
F15385087: D10136.id24405.diff
Fri, Mar 14, 9:40 PM
Unknown Object (File)
Feb 16 2025, 3:40 AM
Unknown Object (File)
Feb 3 2025, 4:45 AM
View All Files
Subscribers
epriestley

Details

Reviewers
btrahan
Maniphest Tasks
T5510: Bind CSRF tokens to a "session core" secret
Commits
Restricted Diffusion Commit
rP42cf7f6faa10: Make the current session key a component of the CSRF token
Summary

Fixes T5510. This purely reduces false positives from HackerOne: we currently rotate CSRF tokens, but do not bind them explicitly to specific sessions. Doing so has no real security benefit and may make some session rotation changes more difficult down the line, but researchers routinely report it. Just conform to expectations since the expected behavior isn't bad and this is less work for us than dealing with false positives.

Test Plan
  • With two browsers logged in under the same user, verified I was issued different CSRF tokens.
  • Verified the token from one browser did not work in the other browser's session.

Diff Detail

Repository
rP Phabricator
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

epriestley updated this revision to Diff 24375.Aug 3 2014, 6:56 PM
epriestley retitled this revision from to Make the current session key a component of the CSRF token.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
epriestley added a task: T5510: Bind CSRF tokens to a "session core" secret.
Herald added a subscriber: epriestley. · View Herald TranscriptAug 3 2014, 6:56 PM
Harbormaster completed remote builds in B2020: Diff 24375.Aug 3 2014, 6:57 PM
btrahan accepted this revision.Aug 4 2014, 6:54 PM
btrahan edited edge metadata.
This revision is now accepted and ready to land.Aug 4 2014, 6:54 PM
epriestley closed this revision.Aug 4 2014, 7:04 PM
epriestley updated this revision to Diff 24405.

Closed by commit rP42cf7f6faa10 (authored by @epriestley).

Revision Contents
Changeset List

PathSize
src/
applications/
auth/
engine/
3 lines
people/
storage/
4 lines

Diff 24405

View Options

src/applications/auth/engine/PhabricatorAuthSessionEngine.php

Loading...
View Options

src/applications/people/storage/PhabricatorUser.php

Loading...
Phabricator · Built by Phacility