Closed chrispatmore closed 1 year ago
Hi @chrispatmore
This is the wrong repository, this issue should have been reported to vertx-web
.
Anyway, it seems ok to me if you can't make non-GET requests until you get a new token, that's the purpose of the CSRF token.
If you make a GET request though, it should be sent as a response header, even after a POST
request which was never replied.
Perhaps what you want is that the cookie is updated if does not contain the refreshed token?
Would that be fine regarding security @pmlopes ?
Oops sorry, do you want me to move it?
Yea GET requests updating the token would be fine, as it would enable the user to carry on without logging in again
Oops sorry, do you want me to move it?
Yes please
CSRF is a mitigation against replay attacks, hence the issue that a request that never finishes, blocks the whole sequence of future requests. The way I see it is that:
and:
Should only happen on a successful response:
By wrapping that code only in case of success. This should address the cases:
Tests need to be run to verify if this works as expected.
Thanks @pmlopes !
So @chrispatmore , if you can provide a test for Vert.x Web that shows 1/ and /2 don't work, please open an issue there.
Sorry to be clear, you would like me to:
move this issue to web, then work on this issue using suggestion from @pmlopes ?
Sorry to be clear, you would like me to:
move this issue to web, then work on this issue using suggestion from @pmlopes ?
yes please
Version
4.3.8 -> 4.4.1
Context
Whilst using a web application served using vertx with vertx auth and the vertx CSRF handler on the backend APIs, I managed to get into a situation where I could no longer make successful (non GET) requests to my APIs. What had happened is:
Do you have a reproducer?
Here is a gist that shows the behaviour: https://gist.github.com/chrispatmore/89c5c7c35df4321a62699eb1eaf4c791
If you run that and use
get
andpostWorking
buttons a bit to show its working. then usepostBroken
which doesn't respond to deliberately cause the issue. You will find thatpostWorking
is now unable to work again until clearing the session token. (removing CSRF token alone doesn't work)Steps to reproduce
Extra
There are quite a few options to fix this of varying levels of user involvement:
The differences here (other than user interaction) are whether any of these reduce the security of the CSRF Handler as secure. i.e. is it risky to send back a valid token to an invalid request (2.i)
As I understand it, the CSRF token's job is to mitigate against pre-programmed requests against a server in other sites / email links / images etc. by requiring a header (which aren't sent in some of these scenarios) Or needing a value you couldn't pre program. I am not sure if sending back a valid token in some scenarios would invalidate this defence