From 6107e91f142f1498e718365fd8be09a18168e700 Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Thu, 11 Aug 2016 15:25:44 +0200 Subject: [PATCH] Bug 17110: Lower CSRF expiry in Koha::Token MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Default expiry in WWW:CSRF is one week. This patch sets it to 8 hours by default in Koha, and allows to change the expiry period individually by passing MaxAge. Test plan: [1] Put items in your cart. [2] Apply the example patch too. [3] Send the cart from opac within the allotted 10 seconds. [4] Send again, but wait some 10 seconds before submitting. Too late! Tested 3 patches together, works as expected. Signed-off-by: Marc Véron Signed-off-by: Jonathan Druart Signed-off-by: Kyle M Hall --- Koha/Token.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Koha/Token.pm b/Koha/Token.pm index 9e26800596..e60ee1f4fc 100644 --- a/Koha/Token.pm +++ b/Koha/Token.pm @@ -53,6 +53,7 @@ use String::Random (); use WWW::CSRF (); use base qw(Class::Accessor); use constant HMAC_SHA1_LENGTH => 20; +use constant CSRF_EXPIRY_HOURS => 8; # 8 hours instead of 7 days.. =head1 METHODS @@ -161,6 +162,7 @@ sub _chk_csrf { $params->{id}, $params->{secret}, $params->{token}, + { MaxAge => $params->{MaxAge} // ( CSRF_EXPIRY_HOURS * 3600 ) }, ); return $csrf_status == WWW::CSRF::CSRF_OK(); } -- 2.39.5