Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reset CSRF cookie to minimize a risk of failures due to its expiry #37725

Merged
merged 1 commit into from
Dec 26, 2023

Conversation

sberyozkin
Copy link
Member

@sberyozkin sberyozkin commented Dec 13, 2023

Fixes #36946.
Fixes #37928.

@FroMage FYI, it won't guarantee the failure won't ever happen, for example, the cookie age is 10 mins and the user just sits idle for 11 min and then returns, but with a reasonably large cookie age and with this PR recycling cookies, the chance of it happening will be very low.
If you'd like please give this PR a try with Renarde or you can try snapshots later.
Andy, @ia3andy FYI
It is not urgent to review it, thanks

@sberyozkin sberyozkin assigned FroMage and unassigned FroMage Dec 13, 2023
@sberyozkin sberyozkin requested a review from FroMage December 13, 2023 23:09

This comment has been minimized.

Copy link
Member

@FroMage FroMage left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have time to test this, but LGTM

@sberyozkin
Copy link
Member Author

Thanks Steph @FroMage, I wonder if there has to be a property enabling this cookie refreshment by default so that users can choose not to make it last indefinitely. I think I'll just add it before merging.

@FroMage
Copy link
Member

FroMage commented Dec 18, 2023

I don't see why anyone would want to do that. Perhaps better to wait until someone requests this with a use-case?

@sberyozkin
Copy link
Member Author

sberyozkin commented Dec 19, 2023

Hi Steph @FroMage, I was thinking today, may be the easiest is simply set the default cookie age to a few hours which will support most cases and if a whole day has to be supported then one will just increase the age.
I thought that this solution is not complete while it is also aiming to make this cookie age essentially unlimited and I'm not sure I appreciate if it can have some consequences or not.

@sberyozkin
Copy link
Member Author

Hey @FroMage I've decided to go ahead with this PR as after I started fixing #37928 I realized I was typing exactly the same code on the GET path as in this PR, this PR just needs a minor tweak to ensure the cookie is correctly reset when the token signature is required, so instead of resetting the token immediately in various places it will be done in the response filter, in a single place

@sberyozkin sberyozkin force-pushed the csrf_refresh_cookie branch 3 times, most recently from f21dbc1 to 32cfa46 Compare December 26, 2023 19:13
@sberyozkin
Copy link
Member Author

@FroMage I've also set a default cookie token age to 2H

@sberyozkin
Copy link
Member Author

Sorry for the noise with multiple pushes, hopefully not too many people are getting them today :-)

Copy link

quarkus-bot bot commented Dec 26, 2023

✔️ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

@sberyozkin sberyozkin merged commit 7d15333 into quarkusio:main Dec 26, 2023
19 checks passed
@sberyozkin sberyozkin deleted the csrf_refresh_cookie branch December 26, 2023 21:12
@quarkus-bot quarkus-bot bot added this to the 3.7 - main milestone Dec 26, 2023
@FroMage
Copy link
Member

FroMage commented Jan 9, 2024

@gsmet Could we backport this one please? It's fixing a pretty serious CSRF bug which makes it unusable in 3.6.4: #37928

FroMage added a commit to FroMage/quarkus that referenced this pull request Jan 9, 2024
…he token

This is only a test to make sure we never regress on such a common
use-case. This was already fixed in quarkusio#37725
@gsmet gsmet modified the milestones: 3.7 - main, 3.6.5 Jan 9, 2024
@FroMage
Copy link
Member

FroMage commented Jan 10, 2024

Thanks!

FroMage added a commit that referenced this pull request Jan 17, 2024
…he token

This is only a test to make sure we never regress on such a common
use-case. This was already fixed in #37725
bpasson pushed a commit to bpasson/quarkus that referenced this pull request Jan 18, 2024
…he token

This is only a test to make sure we never regress on such a common
use-case. This was already fixed in quarkusio#37725
gsmet pushed a commit to gsmet/quarkus that referenced this pull request Jan 23, 2024
…he token

This is only a test to make sure we never regress on such a common
use-case. This was already fixed in quarkusio#37725

(cherry picked from commit 511b0c7)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants