Page MenuHomePhabricator
Create Task
Maniphest T5510

Bind CSRF tokens to a "session core" secret
Closed, ResolvedPublic
Actions

Description

We currently rotate CSRF tokens and sessions independently. This is not a security issue, but it causes a lot of false positive reports on HackerOne where researchers misunderstand the mechanism, think CSRF tokens can be transferred between accounts, etc.

Since we rotate sessions and CSRF tokens, binding them directly to one another isn't desirable, because it will make rotation entangled and complicated.

However, we can introduce a non-rotating "session core" secret which we hash into CSRF tokens. This won't appreciably improve security, but will make the system look more secure.

Revisions and Commits

rP Phabricator
AuditedD10136rP42cf7f6faa10 Make the current session key a component of the CSRF token

Event Timeline

epriestley created this task.Jun 30 2014, 3:09 PM
epriestley raised the priority of this task from to Low.
epriestley updated the task description. (Show Details)
epriestley added a project: Security.
epriestley added a subscriber: epriestley.
tamannaz added a subscriber: tamannaz.Jul 1 2014, 12:22 AM
epriestley added a revision: D10136: Make the current session key a component of the CSRF token.Aug 3 2014, 6:56 PM
epriestley added a comment.Aug 3 2014, 6:58 PM

Since we rotate sessions and CSRF tokens

I misremembered this slightly: we rotate CSRF tokens, but do not currently rotate session keys, so we don't need to introduce a non-rotating secret (at least, until we start rotating session keys).

epriestley closed this task as Resolved.Aug 4 2014, 7:04 PM
epriestley added a commit: rP42cf7f6faa10: Make the current session key a component of the CSRF token.

Closed by commit rP42cf7f6faa10.

Phabricator · Built by Phacility