Hi,
I think I found a problem with how we use CSRF tokens.
If a token is discovered by an attacker, and if the user leaves their
session open, the attacker can use the token to impersonate the user on
every CSRF-protected form during 8 hours (Koha::Token::CSRF_EXPIRY_HOURS).
Is this a known issue ?
Bug 18124 restricts token to a user's session. Maybe it would be good to
restrict to a particular form too.
To go further, I think we should have a way to invalidate tokens after
their use, so a token can never be used twice.
Any thoughts ?
--
Julian Maurice <julian.maur...@biblibre.com>
BibLibre
_______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
