Page MenuHomePhabricator

D10136.id.diff
No OneTemporary

D10136.id.diff

diff --git a/src/applications/auth/engine/PhabricatorAuthSessionEngine.php b/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
--- a/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
+++ b/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
@@ -165,6 +165,9 @@
// TTL back up to the full duration. The idea here is that sessions are
// good forever if used regularly, but get GC'd when they fall out of use.
+ // NOTE: If we begin rotating session keys when extending sessions, the
+ // CSRF code needs to be updated so CSRF tokens survive session rotation.
+
if (time() + (0.80 * $ttl) > $session->getSessionExpires()) {
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
$conn_w = $session_table->establishConnection('w');
diff --git a/src/applications/people/storage/PhabricatorUser.php b/src/applications/people/storage/PhabricatorUser.php
--- a/src/applications/people/storage/PhabricatorUser.php
+++ b/src/applications/people/storage/PhabricatorUser.php
@@ -339,6 +339,10 @@
$vec = $this->getAlternateCSRFString();
}
+ if ($this->hasSession()) {
+ $vec = $vec.$this->getSession()->getSessionKey();
+ }
+
$time_block = floor($epoch / $frequency);
$vec = $vec.$key.$time_block;

File Metadata

Mime Type
text/plain
Expires
Oct 20 2024, 1:46 AM (4 w, 2 d ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6712973
Default Alt Text
D10136.id.diff (1 KB)

Event Timeline