tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Using CSRF prevention filter with session-timeout workflow resumption
Date Thu, 21 Nov 2019 15:53:23 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 11/21/19 04:00, Mark Thomas wrote:
>> All,
>> 
>> The servlet spec defines the workflow for form-based
>> authentication: if the client requests a protected resource, an
>> authorization check is performed. If the user is unauthenticated,
>> the login form is shown. Successful login allows the user to be
>> sent to the originally-requested resource.
>> 
>> This works great to allow users to pick-up workflows where they 
>> left-off in the case of session timeout: once authenticated, the
>> user is sent back to the page they were trying to get to
>> originally, including a potential re-POST of form data, for
>> example.
>> 
>> With the CSRF prevention filter in-place, this then causes an
>> error (well, CSRF policy violation == forbidden response) because
>> the nonce originally added to the request's query string no
>> longer matches a valid nonce on the server.
>> 
>> This can be considered both good and bad behavior. Good: if
>> handed a forged nonce from an attacker, the nonce will not be
>> valid if the user is asked to login. Session-fixation attacks
>> could get an attacker around this. Bad: it completely and totally
>> breaks workflow-resumption.
>> 
>> I'm looking for a way around this because I *really* like the
>> fact that you can resume a workflow after re-authenticating.
>> 
>> (I happen to be using a 3rd-party authentication and
>> authorization library implemented as a Filter and I'm having some
>> issues with getting that working as well, but the problem exists
>> with the stock Tomcat authenticators.)
>> 
>> Is there a safe way to implement workflow-resumption in the
>> presence of the CSRF prevention filter? Or even under *any* CSRF
>> scheme?
> 
> Use an Origin based protection?

So something like CORS? I haven't dived into CORS, yet. Is it fair to
say that CSRF might be a simpler and less powerful standard while CORS
is a replacement for it? Or do they serve different use-cases?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3WsvMACgkQHPApP6U8
pFim4xAAkL2PrvyfhLM1LLAaJry8e12dUDxKamwziiy7jsF/Vp47ZXm/E2HUl4H3
tSrxa14C7/7p2MiNF3nWSxgI6xLUY8nSrSnJP8cok2YenkxGFaSe2z5A1AtPcaLh
hSP+sT4VP0Ddnd968r/iHd2b9Z2RmQZnVT9ZICEsCd2+o/7+hNom5mK+LWqej5qB
4wmhpbLhE/nmEM697yvXw2bbLIMuhxU+aQ0XshKJKKvatmpm2Ncskjbrrov4CCfO
oKYb2sj9yIfObt2B1JGPqokGWOZyoEJ9LXsXE2SZ8VFRo8vgjrkugDUWrNfb5LXY
iigJH+w0sdxu/iKohxmEoEPV4Nst+yW76l9/DcMr7eDaWmpDrXO4AyQU3oc/TP8z
bNcXb4QI5E1WpAT9zbaQiko9Yku+AUmaacu3pOm4npDsUWCrwwz7YoSKazimWVW6
UbGpiiYxB84cf06A0QvY7r/UnvOMYC/VsAV+S6f02FefeNOardIxzx1Rha5PBCtb
67xJK+ceuJcqmnconjcwrqMdPVEeMEkVxS8XbEKHrJmc2K+/6il7RrgYJMMFdeyy
hwJihK8356/FahlrEkyfW77KPE45LphMlU8YyOQkI/FOMi9EFeTvMN/dVOroByrO
ItJy+UxuHv9ZtfYNbIUoZrsvshzF7FRyMavofsWPoIQwH3pSTxw=
=2BcQ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message