Prolong form valid time (csrf related?)
45 views
Skip to first unread message
Sebastian Kleine
Sep 19, 2022, 8:30:34 AM9/19/22
to Magnolia User Mailing List
Hello,
we're running a Magnolia CE websites with some forms. Some of them are quite long (5-6 pages) and have a lot of fields. Sometimes users get a "you are not allowed to submit, possibly the sessions has expired" message when submitting the form longer than 30 minutes after opening the form (which regarding the requested details in the form could happen). Sounds like a tomcat timeout.
So we tried to keep the tomcat session alive for longer. But we did not change the tomcat session timeout time but use an ajax get request to tell the server on form pages that the user is still active (we do that for max 2 hours). This keeps the tomcat session alive (and we see the same JSESSIONID after like 45 minutes). This solution is working on another Magnolia instance (but this is Magnolia DXP and heavily customized form submit).
But even though the tomcat session is still alive, the form submit still fails with the same problem. This is strange. Why is the form submit invalid after 30 minutes? Our guess is, that the csrf token is no longer available in the session. But why and what can we do to keep the form submittable after longer times than 30 minutes?
We're running Magnolia CE 6.2.17, but tried this with even the newest Magnolia version (6.2.24). There is some change to the csrf handling in Magnolia 6.2.23 (details are not known), that seem to have no impact regarding this problem. With the Magnolia community demo webapp you can start it and open the contact-page. After 35 minutes submit it and you will get that "not allowed" error. You could even load other pages in a different browser tab in between (to keep the session alive) - submitting the form is still not possible. Sometimes we have the behaviour that another page (which has no form on it) has a response cookie "csrf" with a new value. We guess that setting a different csrf cookie value would cause the problem. Because now the csrf value sent in the form submit payload is different from the csrf cookie value.
Why is the csrf-token sent in a cookie? In the description to CsrfCookieTokenFilter there is a link to this page: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie
If you scroll up a little bit there is a bold sentence: "CSRF tokens should not be transmitted using cookies".
we're running a Magnolia CE websites with some forms. Some of them are quite long (5-6 pages) and have a lot of fields. Sometimes users get a "you are not allowed to submit, possibly the sessions has expired" message when submitting the form longer than 30 minutes after opening the form (which regarding the requested details in the form could happen). Sounds like a tomcat timeout.
So we tried to keep the tomcat session alive for longer. But we did not change the tomcat session timeout time but use an ajax get request to tell the server on form pages that the user is still active (we do that for max 2 hours). This keeps the tomcat session alive (and we see the same JSESSIONID after like 45 minutes). This solution is working on another Magnolia instance (but this is Magnolia DXP and heavily customized form submit).
But even though the tomcat session is still alive, the form submit still fails with the same problem. This is strange. Why is the form submit invalid after 30 minutes? Our guess is, that the csrf token is no longer available in the session. But why and what can we do to keep the form submittable after longer times than 30 minutes?
We're running Magnolia CE 6.2.17, but tried this with even the newest Magnolia version (6.2.24). There is some change to the csrf handling in Magnolia 6.2.23 (details are not known), that seem to have no impact regarding this problem. With the Magnolia community demo webapp you can start it and open the contact-page. After 35 minutes submit it and you will get that "not allowed" error. You could even load other pages in a different browser tab in between (to keep the session alive) - submitting the form is still not possible. Sometimes we have the behaviour that another page (which has no form on it) has a response cookie "csrf" with a new value. We guess that setting a different csrf cookie value would cause the problem. Because now the csrf value sent in the form submit payload is different from the csrf cookie value.
Why is the csrf-token sent in a cookie? In the description to CsrfCookieTokenFilter there is a link to this page: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie
If you scroll up a little bit there is a bold sentence: "CSRF tokens should not be transmitted using cookies".
The basis question is: how can we allow a form to be submitted after more than 30 minutes (or whatever the exact timeout is?)?
Best regards,
Sebastian
Michael Dürig
Sep 19, 2022, 9:54:46 AM9/19/22
to user...@magnolia-cms.com
Hi,
To further narrow this down I suggest you remove the Magnolia CSRF filters. Do this on a test instance only as it will leave your instance vulnerable to CSRF attacks! The simplest way is to remove the /server/filters/csrfTokenSecurity node in the configuration workspace. If after removing these filters the problem persists, the root cause is in another part of the system. (e.g. with Vaadin, which comes with its own CSRF protection mechanism).
Michael
--
You received this message because you are subscribed to the Google Groups "Magnolia User Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to user-list+...@magnolia-cms.com.
To view this discussion on the web, visit https://groups.google.com/a/magnolia-cms.com/d/msgid/user-list/a60fd6f5-a36b-4f76-84db-5d230e7513cen%40magnolia-cms.com.
Message has been deleted
Message has been deleted
Michael Dürig
Sep 23, 2022, 4:48:26 AM9/23/22
to Sebastian Kleine, Magnolia User Mailing List
Hi Sebastian,
In this case you can configure a longer time for the CSRF token to stay valid:
'csrfLogin':
'class': 'info.magnolia.cms.security.CsrfCookieTokenFilter'
'csrfTokenStrategy':
'class': 'info.magnolia.cms.security.HmacCsrfToken'
'tokenRenewalIntervalMinutes': '60'
With this the token stays valid for at least 60 minutes and up to 120 minutes. See the Javadoc of info.magnolia.cms.security.HmacCsrfToken#getTokenRenewalIntervalMinutes for details. Be advised though, that an attacker that successfully steals a token from a user's browser session (e.g. via some other injection or MITM attack) would have more time to use it via a subsequent CSRF attack.
Michael
On Tue, 20 Sept 2022 at 09:15, Sebastian Kleine <sebastian....@gmail.com> wrote:
Hello Michael,I've tried it on the test system with magnolia 6.2.17. I did not remove the filter but set enabled to false. I could submit the form after 45 minutes (did load a few other pages in a new tab to keep the session alive). And it also stopped setting csrf cookies.I also checked with the magnolia 6.2.24 demo webapp bundle (for some reason it does not start the public system on my system). Did the same (csrfTokenFilter enable=false) and checked after 35 minutes (with some pages in another tab). Could also submit the form - it does not send a mail, but I do not get the "not allowed" error.To me it looks like this is part of the magnolia functionality.Best regards,Sebastian
Michael Dürig
Sep 23, 2022, 4:56:24 AM9/23/22
to Sebastian Kleine, Magnolia User Mailing List
Same configuration applies for `
/server/filters/csrfTokenSecurity/csrfAuthenticated` btw.
Michael
Reply all
Reply to author
Forward
0 new messages