Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F13983233
D10136.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
1 KB
Referenced Files
None
Subscribers
None
D10136.diff
View Options
diff --git a/src/applications/auth/engine/PhabricatorAuthSessionEngine.php b/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
--- a/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
+++ b/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
@@ -165,6 +165,9 @@
// TTL back up to the full duration. The idea here is that sessions are
// good forever if used regularly, but get GC'd when they fall out of use.
+ // NOTE: If we begin rotating session keys when extending sessions, the
+ // CSRF code needs to be updated so CSRF tokens survive session rotation.
+
if (time() + (0.80 * $ttl) > $session->getSessionExpires()) {
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
$conn_w = $session_table->establishConnection('w');
diff --git a/src/applications/people/storage/PhabricatorUser.php b/src/applications/people/storage/PhabricatorUser.php
--- a/src/applications/people/storage/PhabricatorUser.php
+++ b/src/applications/people/storage/PhabricatorUser.php
@@ -339,6 +339,10 @@
$vec = $this->getAlternateCSRFString();
}
+ if ($this->hasSession()) {
+ $vec = $vec.$this->getSession()->getSessionKey();
+ }
+
$time_block = floor($epoch / $frequency);
$vec = $vec.$key.$time_block;
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Mon, Oct 21, 5:00 AM (4 w, 1 d ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6712973
Default Alt Text
D10136.diff (1 KB)
Attached To
Mode
D10136: Make the current session key a component of the CSRF token
Attached
Detach File
Event Timeline
Log In to Comment