Differential D10136

Make the current session key a component of the CSRF token
ClosedPublic
Actions

Authored by epriestley on Aug 3 2014, 6:56 PM.

Tags

None

Referenced Files

	F15511447: D10136.id.diff
	Thu, Apr 17, 2:29 AM

	F15508188: D10136.diff
	Wed, Apr 16, 3:01 AM

	F15492557: D10136.id24405.diff
	Sat, Apr 12, 3:51 PM

	F15412764: D10136.diff
	Wed, Mar 19, 2:47 PM

	F15402858: D10136.id24405.diff
	Mar 18 2025, 12:42 AM

	F15401000: D10136.id24375.diff
	Mar 17 2025, 3:09 PM

	F15399225: D10136.id.diff
	Mar 17 2025, 3:25 AM

	F15395228: D10136.diff
	Mar 16 2025, 4:00 AM

Subscribers

Details

Reviewers

Maniphest Tasks

T5510: Bind CSRF tokens to a "session core" secret

Commits

Restricted Diffusion Commit
rP42cf7f6faa10: Make the current session key a component of the CSRF token

Summary

Fixes T5510. This purely reduces false positives from HackerOne: we currently rotate CSRF tokens, but do not bind them explicitly to specific sessions. Doing so has no real security benefit and may make some session rotation changes more difficult down the line, but researchers routinely report it. Just conform to expectations since the expected behavior isn't bad and this is less work for us than dealing with false positives.

Test Plan

With two browsers logged in under the same user, verified I was issued different CSRF tokens.
Verified the token from one browser did not work in the other browser's session.

Diff Detail

Repository

Branch

token4

Lint

Lint Passed

Unit

Tests Passed

Build Status

Buildable 2020
Build 2021: [Placeholder Plan] Wait for 30 Seconds

Event Timeline

epriestley updated this revision to Diff 24375.Aug 3 2014, 6:56 PM

epriestley retitled this revision from to Make the current session key a component of the CSRF token.

epriestley updated this object.

epriestley edited the test plan for this revision. (Show Details)

epriestley added a reviewer: btrahan.

epriestley added a task: T5510: Bind CSRF tokens to a "session core" secret.

Herald added a subscriber: epriestley. · View Herald TranscriptAug 3 2014, 6:56 PM

Harbormaster completed remote builds in B2020: Diff 24375.Aug 3 2014, 6:57 PM

btrahan accepted this revision.Aug 4 2014, 6:54 PM

btrahan edited edge metadata.

This revision is now accepted and ready to land.Aug 4 2014, 6:54 PM

Closed by commit rP42cf7f6faa10 (authored by @epriestley).

Revision Contents
Changeset List

Path

Size

src/

applications/

auth/

engine/

PhabricatorAuthSessionEngine.php

3 lines

people/

storage/

PhabricatorUser.php

4 lines

Diff 24375

src/applications/auth/engine/PhabricatorAuthSessionEngine.php

Loading...

src/applications/people/storage/PhabricatorUser.php

Loading...