Enhancement #3445
Backport of Nethgui CSRF fixes and Session expiry
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-httpd-admin | |||
Target version: | v6.10 | |||
Resolution: | NEEDINFO: | No |
Description
The CSRF token rotation was enhanced to mitigate the effect of the token invalidation produced by multi-tab browsers.
Also the session expiration props ``MaxSessionIdleTime``, ``MaxSessionLifeTime`` were introduced.
Issues from ns7:
- https://github.com/NethServer/dev/issues/5459
- https://github.com/NethServer/dev/issues/5460
- https://github.com/NethServer/dev/issues/5477
See also
Associated revisions
Backport of issues 5459, 5460, 5477 from ns7
Cherry-pick 127932b d7d227f feadae7 ee815a0
- Mitigate CSRF errors due to multi-tab browsing
- Improve CSRF error dialog message
- Decrease session handoff period
- Fix CSRF storage initialization
Refs #3445
Backport of CSRF token support for software center
- Add CSRF token to ClearYumCache and Pki forms
Cherry-pick 593c02ab1d1244
- Add "Software update policy" UI
Cherry-pick d7c914846db1 (partial)
Refs #3445
Backport of MaxSessionIdleTime MaxSessionLifeTime
Refs #3445
History
#1 Updated by Davide Principi about 3 years ago
- Category set to nethserver-httpd-admin
- Status changed from TRIAGED to MODIFIED
- % Done changed from 20 to 60
In nethserver-testing (6.10)
- nethserver-base-2.11.3-1.1.g0309248.ns6.noarch.rpm
- nethserver-httpd-admin-1.6.8-1.1.ge02348c.ns6.noarch.rpm
#2 Updated by Davide Principi about 3 years ago
- Subject changed from Backport of Nethgui CSRF fixes to Backport of Nethgui CSRF fixes and Session expiry
#3 Updated by Davide Principi about 3 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Davide Principi) - % Done changed from 60 to 70
Test case:
- install the updates from the software center or with an active Server Manager session
- check the session is not interrupted
- logout and check a new session obeys the expiry rules
#4 Updated by Davide Principi about 3 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
Verified by syntaxerrormmm https://community.nethserver.org/t/nethserver-update-fails-with-server-error-nethgui-400-bad-request/8488/40
#5 Updated by Davide Principi about 3 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-base 6.10
- nethserver-httpd-admin-1.7.0-1.ns6.noarch.rpm
- nethserver-base-2.11.4-1.ns6.noarch.rpm