New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSRF token is removed if an invalid token is passed #2174

Closed
michael-e opened this Issue Aug 24, 2014 · 10 comments

Comments

Projects
None yet
3 participants
@michael-e
Member

michael-e commented Aug 24, 2014

I am not sure if this is a bug or a feature—I simply don't understand why this happens (because I thought that XSRF tokens will live as long as the session).

When an invalid XSRF token is sent, the existing token gets removed. So the client will have to retrieve a new token. If you are building an API, for example, you will have to build additional logic into the client software that talks to this API. (Shouldn't it suffice to retrieve the token once per valid session?)

@michael-e michael-e changed the title from XSRF is removed if an invalid token is passed to XSRF token is removed if an invalid token is passed Aug 24, 2014

@michael-e

This comment has been minimized.

Show comment
Hide comment
@michael-e

michael-e Aug 24, 2014

Member

It happens in this line.

Member

michael-e commented Aug 24, 2014

It happens in this line.

@nitriques

This comment has been minimized.

Show comment
Hide comment
@nitriques

nitriques Aug 26, 2014

Member

I think it defeats the purpose since you may want to reset the actual token value in order to prevent unautorized access but sill should be valid for the duration of the session as long as now other calls are made (am I right here?)

Member

nitriques commented Aug 26, 2014

I think it defeats the purpose since you may want to reset the actual token value in order to prevent unautorized access but sill should be valid for the duration of the session as long as now other calls are made (am I right here?)

@brendo

This comment has been minimized.

Show comment
Hide comment
@brendo

brendo Oct 20, 2014

Member

Let's change this for 2.6.0. Tokens no longer need to be an array, so there's a bunch of simplification that can occur that's a hangover from having individual expiry times. The XSRF token will be valid for the lifetime of the session as per earlier discussions.

Member

brendo commented Oct 20, 2014

Let's change this for 2.6.0. Tokens no longer need to be an array, so there's a bunch of simplification that can occur that's a hangover from having individual expiry times. The XSRF token will be valid for the lifetime of the session as per earlier discussions.

@brendo brendo modified the milestones: 2.7.0, 2.6.0 Oct 20, 2014

@brendo brendo self-assigned this Oct 20, 2014

@nitriques

This comment has been minimized.

Show comment
Hide comment
@nitriques

nitriques Oct 30, 2014

Member

The XSRF token will be valid for the lifetime of the session as per earlier discussions.

And would still prevents access from multiple tabs ? (If I save an entry that is open in two tabs, the second one will throw an error?)

Member

nitriques commented Oct 30, 2014

The XSRF token will be valid for the lifetime of the session as per earlier discussions.

And would still prevents access from multiple tabs ? (If I save an entry that is open in two tabs, the second one will throw an error?)

@michael-e

This comment has been minimized.

Show comment
Hide comment
@michael-e

michael-e Oct 30, 2014

Member

And would still prevents access from multiple tabs?

Why should it do that?

Member

michael-e commented Oct 30, 2014

And would still prevents access from multiple tabs?

Why should it do that?

@nitriques

This comment has been minimized.

Show comment
Hide comment
@nitriques

nitriques Oct 30, 2014

Member

Why should it do that?

Because it did in the past and I found that useful (prevents from overwriting data)

Member

nitriques commented Oct 30, 2014

Why should it do that?

Because it did in the past and I found that useful (prevents from overwriting data)

@michael-e

This comment has been minimized.

Show comment
Hide comment
@michael-e

michael-e Oct 30, 2014

Member

Useful or not, that is not the task of an XSRF token.

Member

michael-e commented Oct 30, 2014

Useful or not, that is not the task of an XSRF token.

@nitriques

This comment has been minimized.

Show comment
Hide comment
@nitriques

nitriques Oct 30, 2014

Member

Useful or not, that is not the task of an XSRF token.

Agreed. Thanks for the precision.

Member

nitriques commented Oct 30, 2014

Useful or not, that is not the task of an XSRF token.

Agreed. Thanks for the precision.

@michael-e

This comment has been minimized.

Show comment
Hide comment
@michael-e

michael-e Oct 30, 2014

Member

You're welcome, @nitriques.

Member

michael-e commented Oct 30, 2014

You're welcome, @nitriques.

@michael-e

This comment has been minimized.

Show comment
Hide comment
@michael-e

michael-e Nov 13, 2014

Member

FYI: Today I updated my current development project to current integration code, so I am on the testing track again. Confirmed that the original issue is solved.

Member

michael-e commented Nov 13, 2014

FYI: Today I updated my current development project to current integration code, so I am on the testing track again. Confirmed that the original issue is solved.

nitriques added a commit to DeuxHuitHuit/symphonycms that referenced this issue Feb 19, 2015

nitriques added a commit to DeuxHuitHuit/symphonycms that referenced this issue Feb 19, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment