sorcery icon indicating copy to clipboard operation
sorcery copied to clipboard

Published 20 hours ago verified publisher icon NoamB

reset_session when logging out changes csrf_token

Open hgani opened this issue 10 years ago • 5 comments

I noticed that logging out destroys the whole session (including csrf token) and causes a new token to be regenerated. See: https://github.com/NoamB/sorcery/blob/master/lib/sorcery/controller.rb#L60

This causes a problem when a user has two tabs open. In the first tab, the user views a form. In the second tab, the user logs out (which essentially changes the currently active token).

When the user goes back to the first tab and submits the form, it will fail because the page still uses the old token.

My questions:

  1. Is this behaviour intentional or is this a bug?
  2. If it is, what should my web app do? Because as it is, the failure will really confuse the user.

By the way, this issue is similar to https://github.com/NoamB/sorcery/issues/250

Thanks

hgani avatar Nov 13 '13 04:11 hgani

Honestly, I have no idea why we need to reset the whole session after logging out. Maybe @NoamB knows that?

kirs avatar Nov 13 '13 07:11 kirs

Hi,

Please take a look at #31 and maybe #250 is related too.

I don't remember the details for CSRF but both deleting the session and the CSRF tokens are security measures. Sessions in general, can be stolen (XSS) and to make this threat less potent we need to make a new one after every login (this way throwing out any attackers logged in as 'you'), and throw the old one on every logout/expiration.

Also I don't see the use case of logging out in one tab and submitting from another tab. Is this the same user? Why would you actively logout from one of the tabs then, if you are filling a form you want to submit?

NoamB avatar Nov 13 '13 14:11 NoamB

Hi guys, thanks for the responses.

  1. I might be wrong but from actually testing it out, it seems that we make a new CSRF token upon logout, but not upon login. I am guessing because we explicitly invoke form_authenticity_token when logging in as shown on https://github.com/NoamB/sorcery/blob/master/lib/sorcery/controller.rb#L40. Is this as intended?

  2. This was what really happened to me:

  • I was logged out on my first tab
  • I opened the second tab, login, and then logout (at this point the second tab has the new token while the first tab has an old one)
  • I went off to visit other websites on other tabs
  • I went back to my website, but I opened the first tab instead of the second tab. I tried to login (which obviously involves filling the login form) and got the TokenAuthenticity error

I think it is not uncommon for users to leave multiple tabs open and end up having some tabs with the new token while some others with old tokens.

If it turns out that there is nothing that Sorcery can do to fix this (due to security reasons), I am looking for a suggestion on how my website should behave to avoid confusing my users.

Thanks.

hgani avatar Nov 13 '13 14:11 hgani

Regarding 1 I suppose this is part of the fix for #31.

Regarding 2, I understand the use case and it is a valid one. I agree that the login form is a special case, since it should always allow you to login, expired session and authenticity tokens or not. I would expect the login form not to have this token at all if possible. All other forms, once submitted with bad tokens, should take you to the login form to authenticate (to prevent someone with access to your computer to do damage hours after you left the browser open).

What do you guys think?

On Wed, Nov 13, 2013 at 4:55 PM, hgani [email protected] wrote:

Hi guys, thanks for the responses.

  1. I might be wrong but from actually testing it out, it seems that we make a new CSRF token upon logout, but not upon login. I am guessing because we explicitly invoke form_authenticity_token when logging in as shown on https://github.com/NoamB/sorcery/blob/master/lib/sorcery/controller.rb#L40. Is this as intended?

  2. This was what really happened to me:

  • I was logged out on my first tab
  • I opened the second tab, login, and then logout (at this point the second tab has the new token while the first tab has an old one)
  • I went off to visit other websites on other tabs
  • I went back to my website, but I opened the first tab instead of the second tab. I tried to login (which obviously involves filling the login form) and got the TokenAuthenticity error

I think it is not uncommon for users to leave multiple tabs open and end up having some tabs with the new token while some others with old tokens.

If it turns out that there is nothing that Sorcery can do to fix this (due to security reasons), I am looking for a suggestion on how my website should behave to avoid confusing my users.

Thanks.

— Reply to this email directly or view it on GitHubhttps://github.com/NoamB/sorcery/issues/480#issuecomment-28400473 .

NoamB avatar Nov 13 '13 15:11 NoamB

Sounds good, although I have to admit I don't have strong background in security. As I understand it, login form doesn't need CSRF token because the main purpose is to prevent hackers from riding on existing login session, which does not exist prior to logging in.

Regarding the two proposed behaviours -- 1 (login should ignore token) and 2 (take users to login form if we encounter bad tokens), can these be handled by Sorcery or are developers meant to implement these themselves?

hgani avatar Nov 14 '13 04:11 hgani