Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

CSRFVerifyToken, add an optional remove argument, default false

Description

The only way to currently invalidate a CSRF token is to generate a new token for the same key

This has several problems,

  • the session’s list of tokens can grow unbounded (i.e. memory/storage if heavily used)

  • tokens can be reused (which is ok, when a form is resubmitted, depending on the app)

  • regenerating doesn’t reduce the size of the pool

Add a third argument remove (default false, existing behaviour), which will remove the token, by key, regardless if the token is correct

csrfVerifyToken( token=token, key=key, remove=true )

Now that https://luceeserver.atlassian.net/browse/LDEV-3324 will preserve on sessionRotate(), we may consider adding a CSRFClearTokens() type function

Activity

Show:

Pothys - MitrahSoft 14 February 2025 at 10:19

I have tested this trick with Lucee version 6.2.1.25-SNAPSHOT. When I tried to invalidate the CSRF token by using the csrfVerifyToken() with the remove attribute, it now removes the csrfgenerated token from the session, and it works fine as expected.

Zac Spitzer 11 February 2025 at 13:43

loader changes reverted in https://github.com/lucee/Lucee/commit/d82d6e95432e983777e1f2d1172e5056b0ebc87e

adds a new sessionStoragePro interface

Zac Spitzer 11 February 2025 at 12:55
Edited

oops, I just noticed this changes the loader…addressing with https://luceeserver.atlassian.net/browse/LDEV-3324

Zac Spitzer 11 February 2025 at 12:45

Zac Spitzer 31 January 2025 at 00:21

Fixed

Details

Assignee

Reporter

Labels

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Sprint

Fix versions

Priority

Parent

Created 30 January 2025 at 23:55
Updated 14 February 2025 at 10:20
Resolved 14 February 2025 at 10:19

Flag notifications