Enhancement #3445

Backport of Nethgui CSRF fixes and Session expiry

Added by Davide Principi about 3 years ago. Updated about 3 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-httpd-admin
Target version:v6.10
Resolution: NEEDINFO:No

Description

The CSRF token rotation was enhanced to mitigate the effect of the token invalidation produced by multi-tab browsers.

Also the session expiration props ``MaxSessionIdleTime``, ``MaxSessionLifeTime`` were introduced.

Issues from ns7:

- https://github.com/NethServer/dev/issues/5459
- https://github.com/NethServer/dev/issues/5460
- https://github.com/NethServer/dev/issues/5477

See also

https://community.nethserver.org/t/nethserver-update-fails-with-server-error-nethgui-400-bad-request/8488/36

Associated revisions

Revision d0e968fb
Added by Davide Principi about 3 years ago

Backport of issues 5459, 5460, 5477 from ns7

Cherry-pick 127932b d7d227f feadae7 ee815a0

- Mitigate CSRF errors due to multi-tab browsing
- Improve CSRF error dialog message
- Decrease session handoff period
- Fix CSRF storage initialization

Refs #3445

Revision 0309248f
Added by Davide Principi about 3 years ago

Backport of CSRF token support for software center

- Add CSRF token to ClearYumCache and Pki forms
Cherry-pick 593c02ab1d1244

- Add "Software update policy" UI
Cherry-pick d7c914846db1 (partial)

Refs #3445

Revision 98d1f990
Added by Davide Principi about 3 years ago

Session timeout implementation

(cherry picked from commits 2779e3a435aa4 7fcf07f1684ac)

Refs #3445

Revision e02348c4
Added by Davide Principi about 3 years ago

Backport of MaxSessionIdleTime MaxSessionLifeTime

Refs #3445

History

#1 Updated by Davide Principi about 3 years ago

  • Category set to nethserver-httpd-admin
  • Status changed from TRIAGED to MODIFIED
  • % Done changed from 20 to 60

In nethserver-testing (6.10)

- nethserver-base-2.11.3-1.1.g0309248.ns6.noarch.rpm
- nethserver-httpd-admin-1.6.8-1.1.ge02348c.ns6.noarch.rpm

#2 Updated by Davide Principi about 3 years ago

  • Subject changed from Backport of Nethgui CSRF fixes to Backport of Nethgui CSRF fixes and Session expiry

#3 Updated by Davide Principi about 3 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Davide Principi)
  • % Done changed from 60 to 70

Test case:

- install the updates from the software center or with an active Server Manager session
- check the session is not interrupted
- logout and check a new session obeys the expiry rules

#4 Updated by Davide Principi about 3 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

#5 Updated by Davide Principi about 3 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-base 6.10

- nethserver-httpd-admin-1.7.0-1.ns6.noarch.rpm
- nethserver-base-2.11.4-1.ns6.noarch.rpm

Also available in: Atom PDF