https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42924

--- Comment #2 from Jonathan Druart <[email protected]> ---
Created attachment 201169
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201169&action=edit
Bug 42924: Restore default MaxAge for CSRF token

This patch changes the default MaxAge from 8 hours to
168 hours or 7 days due to usability issues encountered from
using a short-lived token.

See OWASP for more information on why timestamps with expiry
are not necessary for CSRF tokens. The MaxAge is a requirement
of the WWW::CSRF token used by Koha, so let's just use a longer
expiry in lieu of no expiry.

Test plan:
0. apply patch
1. prove t/Token.t

Signed-off-by: Jonathan Druart <[email protected]>

-- 
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to