tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Using CSRF prevention filter with session-timeout workflow resumption
Date Wed, 20 Nov 2019 20:36:31 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

The servlet spec defines the workflow for form-based authentication:
if the client requests a protected resource, an authorization check is
performed. If the user is unauthenticated, the login form is shown.
Successful login allows the user to be sent to the
originally-requested resource.

This works great to allow users to pick-up workflows where they
left-off in the case of session timeout: once authenticated, the user
is sent back to the page they were trying to get to originally,
including a potential re-POST of form data, for example.

With the CSRF prevention filter in-place, this then causes an error
(well, CSRF policy violation == forbidden response) because the nonce
originally added to the request's query string no longer matches a
valid nonce on the server.

This can be considered both good and bad behavior. Good: if handed a
forged nonce from an attacker, the nonce will not be valid if the user
is asked to login. Session-fixation attacks could get an attacker
around this. Bad: it completely and totally breaks workflow-resumption.

I'm looking for a way around this because I *really* like the fact
that you can resume a workflow after re-authenticating.

(I happen to be using a 3rd-party authentication and authorization
library implemented as a Filter and I'm having some issues with
getting that working as well, but the problem exists with the stock
Tomcat authenticators.)

Is there a safe way to implement workflow-resumption in the presence
of the CSRF prevention filter? Or even under *any* CSRF scheme?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3Vo88ACgkQHPApP6U8
pFjuWxAAirnEimlquVNLUA+yfTT+rsCA+6TFxv0soDDg/ln5F7GX7AsVdnAL3SDZ
jPWxBYKsiW+jaPS56DYIawW5foTqy+dHfgawmR8zH4g4IK1tvlBq+yMOJ1zDDPLC
5lcWm2vGXHuFO+/PHo97Yom0r+I7cVOm9V7S5oa8vJtq/YXHGchqKfDzF/10NBAp
xNQaQ1FJhEQBjcup9ZWFy51+f5g9F3GmtvAgqdirhCAgr5N+muWbyaUMXkXPqagx
HdZhpZNJ1jtiidhE9lAK10wOHz9AtlacLNQker8etg6Bct2QDxbooxHKppdZwQP9
WrtXreE8BNtmDCYKyKIMHKQq4VozO834FMFCMLfDBKE8j4u07ctDnj5GzahEKGTp
pr/81Q9bLnH5YeHFFkNeh1uZNpcy7M/NBALvF1cJF0QztRQw6V7I7m7AAsC/AjW6
wKfQh+qhmQzSHQcho8E3kdF5HbU38lNS8hVFFoowwzKKUJXjXWOZ77z2di4tW6ll
MQRIpw0oFfDZoVQHDLEp51OyVtrPfhia12NFWrY26H9hBHYXZIDrzbUgNgDsfEJh
i9tytiPpl/A0Tmh1yhuKRlZsb29tSDKKEki39G7rz/Usgi64U+vslkA5TWp1YJ2I
CSq2mXGhERguTguSC8eg3tXQUsTz/gWFIccC/LALP4caqJYTqfI=
=NJaQ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message