CSRF cookie should be refreshed on each request #36946

FroMage · 2023-11-08T14:23:22Z

ATM the CSRF filter only sets a CSRF cookie for safe methods (like GET) if it does not exist, but it never refreshes it.

So, for example, what can happen, since the cookie expires after 10 minutes, is the following:

T + 0 minutes : GET, get a CSRF cookie, OK
T + 1 minute : GET, existing CSRF cookie sent in request, no new CSRF cookie in response, OK
T + 2 minutes : POST, existing CSRF cookie sent in request, no new CSRF cookie in response, OK
T + 9 minute : GET, existing CSRF cookie sent in request, no new CSRF cookie in response, OK
T + 11 minutes : POST, expired CSRF cookie NOT sent in request, FAIL

We should refresh the CSRF cookie on every request, safe or even POST. This has been reported by several users independently.

The text was updated successfully, but these errors were encountered:

quarkus-bot · 2023-11-08T14:23:48Z

/cc @pedroigor (bearer-token), @sberyozkin (bearer-token,jwt,security)

ia3andy · 2023-11-08T14:29:50Z

Thanks @FroMage It looks like what I experienced 👍

sberyozkin · 2023-11-08T15:49:50Z

@FroMage @ia3andy Do you mean that when the cookie has arrived and verified, it is then removed, and created again with the same value ?

FroMage · 2023-11-08T16:35:22Z

Same value, and expired date renewed for X more time.

FroMage added the kind/bug Something isn't working label Nov 8, 2023

quarkus-bot bot added the triage/needs-triage label Nov 8, 2023

FroMage added area/security and removed triage/needs-triage labels Nov 8, 2023

sberyozkin self-assigned this Nov 8, 2023

sberyozkin mentioned this issue Dec 13, 2023

Reset CSRF cookie to minimize a risk of failures due to its expiry #37725

Merged

sberyozkin closed this as completed in #37725 Dec 26, 2023

quarkus-bot bot added this to the 3.7 - main milestone Dec 26, 2023

gsmet modified the milestones: 3.7 - main, 3.6.5 Jan 9, 2024

Provide feedback