[stable12] Fix failing csp/nonce check due to timed out session #6440
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The CSP nonce is based on the CSRF token. This token does not change, unless you log in (or out). In case of the session data being lost, e.g. because php gets rid of old sessions, a new CSRF token is gen- erated. While this is fine in theory, it actually caused some annoying problems where the browser restored a tab and Nextcloud js was blocked due to an outdated nonce. The main problem here is that, while processing the request, we write out security headers relatively early. At that point the CSRF token is known/generated and transformed into a CSP nonce. During this request, however, we also log the user in because the session information was lost. At that point we also refresh the CSRF token, which eventually causes the browser to block any scripts as the nonce in the header does not match the one which is used to include scripts. This patch adds a flag to indicate whether the CSRF token should be refreshed or not. It is assumed that refreshing is only necessary if we want to re-generate the session id too. To my knowledge, this case only happens on fresh logins, not when we recover from a deleted session file. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
ChristophWurst
requested review from
LukasReschke,
MorrisJobke,
rullzer and
skjnldsv
rullzer
approved these changes
Sep 11, 2017
skjnldsv
approved these changes
Sep 11, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #6360
The CSP nonce is based on the CSRF token. This token does not change,
unless you log in (or out). In case of the session data being lost,
e.g. because php gets rid of old sessions, a new CSRF token is gen-
erated. While this is fine in theory, it actually caused some annoying
problems where the browser restored a tab and Nextcloud js was blocked
due to an outdated nonce.
The main problem here is that, while processing the request, we write
out security headers relatively early. At that point the CSRF token
is known/generated and transformed into a CSP nonce. During this request,
however, we also log the user in because the session information was
lost. At that point we also refresh the CSRF token, which eventually
causes the browser to block any scripts as the nonce in the header
does not match the one which is used to include scripts.
This patch adds a flag to indicate whether the CSRF token should be
refreshed or not. It is assumed that refreshing is only necessary
if we want to re-generate the session id too. To my knowledge, this
case only happens on fresh logins, not when we recover from a deleted
session file.