Bug #25359

Essential form protection tokens are dropped when beeing logged in for a "long" time

Added by Helmut Hummel over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
Start date:
2011-03-20
Due date:
% Done:

100%

TYPO3 Version:
4.5
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Problem:
The backend form protection uses the session data field to store created tokens. Since this database field has a certain size, the framework starts dropping tokens, when it holds a certain amount of tokens.

When doing so, it is very likely that tokens which are seldom replaced (like the ExtDirect token or the clear cache tokens) will be dropped, resulting in token validation error messages

Solution:
I suggest to abandon the extra security feature of having unique tokens, because it turned out to add a complexity which is almost impossible to handle

(issue imported from #M17991)


Related issues

Related to TYPO3 Core - Bug #24671: Protect C(R)UD actions against CSRF Closed 2011-01-20
Related to TYPO3 Core - Bug #25164: Copy & Paste: "Validating the security token of this form has failed. Please reload the form and submit it again." Closed 2011-02-24

Associated revisions

Revision d8b85b63 (diff)
Added by Helmut Hummel over 7 years ago

[BUGFIX] Abandon one time CSRF tokens

Abandon the extra security feature of having one time tokens and create tokens
which are valid during a whole login session. Additionally create only one random token,
store it in the session and create the real URL and form tokens by hashing the scope strings
with the secret session token.

To enable re-login, store the session token in the registry and retrieve it in case a
re-login happens.

Thanks to Marion Eher (Bluechip.at) for sponsoring
this fix with 75 beers during the bug auction at T3BOARD11.

Resolves: #25359
Change-Id: If37990fbc1ae3701777e8218cc1bc8760a4d6a55
Releases: 4.6, 4.5
Reviewed-on: http://review.typo3.org/1364
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Revision 668e715c (diff)
Added by Helmut Hummel over 7 years ago

[BUGFIX] Abandon one time CSRF tokens

Abandon the extra security feature of having one time tokens and create tokens
which are valid during a whole login session. Additionally create only one random token,
store it in the session and create the real URL and form tokens by hashing the scope strings
with the secret session token.

To enable re-login, store the session token in the registry and retrieve it in case a
re-login happens.

Thanks to Marion Eher (Bluechip.at) for sponsoring
this fix with 75 beers during the bug auction at T3BOARD11.

Resolves: #25359
Change-Id: I078a6fa7f579026a33568fd0af114e5776c994da
Reviewed-on: http://review.typo3.org/1361
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

History

#1 Updated by Helmut Hummel over 7 years ago

  • Assignee set to Helmut Hummel
  • Target version deleted (0)

#2 Updated by Mr. Hudson over 7 years ago

Patch set 1 of change I784a1a6eef947a9030ffa8233c2a866818fd99c5 has been pushed to the review server.
It is available at http://review.typo3.org/1359

#3 Updated by Mr. Hudson over 7 years ago

Patch set 2 of change I784a1a6eef947a9030ffa8233c2a866818fd99c5 has been pushed to the review server.
It is available at http://review.typo3.org/1359

#4 Updated by Mr. Hudson over 7 years ago

Patch set 1 of change I078a6fa7f579026a33568fd0af114e5776c994da has been pushed to the review server.
It is available at http://review.typo3.org/1361

#5 Updated by Mr. Hudson over 7 years ago

Patch set 1 of change If37990fbc1ae3701777e8218cc1bc8760a4d6a55 has been pushed to the review server.
It is available at http://review.typo3.org/1364

#6 Updated by Helmut Hummel over 7 years ago

  • Target version set to 4.5.3
  • % Done changed from 0 to 100

Please ignore review request 1359, it was wrong and I abandoned it.

#7 Updated by Mr. Hudson over 7 years ago

Patch set 2 of change If37990fbc1ae3701777e8218cc1bc8760a4d6a55 has been pushed to the review server.
It is available at http://review.typo3.org/1364

#8 Updated by Mr. Hudson over 7 years ago

Patch set 2 of change I078a6fa7f579026a33568fd0af114e5776c994da has been pushed to the review server.
It is available at http://review.typo3.org/1361

#9 Updated by Mr. Hudson over 7 years ago

Patch set 3 of change If37990fbc1ae3701777e8218cc1bc8760a4d6a55 has been pushed to the review server.
It is available at http://review.typo3.org/1364

#10 Updated by Mr. Hudson over 7 years ago

Patch set 4 of change If37990fbc1ae3701777e8218cc1bc8760a4d6a55 has been pushed to the review server.
It is available at http://review.typo3.org/1364

#11 Updated by Mr. Hudson over 7 years ago

Patch set 3 of change I078a6fa7f579026a33568fd0af114e5776c994da has been pushed to the review server.
It is available at http://review.typo3.org/1361

#12 Updated by Mr. Hudson over 7 years ago

Patch set 4 of change I078a6fa7f579026a33568fd0af114e5776c994da has been pushed to the review server.
It is available at http://review.typo3.org/1361

#13 Updated by Mr. Hudson over 7 years ago

Patch set 5 of change If37990fbc1ae3701777e8218cc1bc8760a4d6a55 has been pushed to the review server.
It is available at http://review.typo3.org/1364

#14 Updated by Mr. Hudson over 7 years ago

Patch set 6 of change If37990fbc1ae3701777e8218cc1bc8760a4d6a55 has been pushed to the review server.
It is available at http://review.typo3.org/1364

#15 Updated by Mr. Hudson over 7 years ago

Patch set 7 of change If37990fbc1ae3701777e8218cc1bc8760a4d6a55 has been pushed to the review server.
It is available at http://review.typo3.org/1364

#16 Updated by Mr. Hudson over 7 years ago

Patch set 5 of change I078a6fa7f579026a33568fd0af114e5776c994da has been pushed to the review server.
It is available at http://review.typo3.org/1361

#17 Updated by Anonymous over 7 years ago

  • Status changed from New to Resolved

#18 Updated by Oliver Hader over 7 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF