Issues
- CSRFVerifyToken, add an optional remove argument, default falseLDEV-5291Resolved issue: LDEV-5291Pothys - MitrahSoft
- sessionRotate() doesn't copy CSRF tokens to new sessionLDEV-3324Resolved issue: LDEV-3324Pothys - MitrahSoft
- csrfGenerateToken() returns an empty stringLDEV-3185Resolved issue: LDEV-3185Pothys - MitrahSoft
- csrfGenerateToken() and csrfVerifyToken() with no arguments throw a null pointer exception.LDEV-2565Resolved issue: LDEV-2565Michael Offner
- Regression w/CFML Sessions: Session scope does not support CSRF TokensLDEV-2536Resolved issue: LDEV-2536
- CSRF Tokens forceNew=false only works in short timespansLDEV-2137Michael Offner
- Add SameSite-attribute to cfcookieLDEV-1236Resolved issue: LDEV-1236Mircea Botez
- CSRFverifyToken() does not work when this.sessionCluster = trueLDEV-784Resolved issue: LDEV-784Pothys - MitrahSoft
- CSRF functions are restricted to CF SessionsLDEV-412Resolved issue: LDEV-412Igal Sapir
9 of 9
CSRFVerifyToken, add an optional remove argument, default false
Fixed
Description
Details
Assignee
Pothys - MitrahSoftPothys - MitrahSoftReporter
Zac SpitzerZac SpitzerLabels
New Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Sprint
Fix versions
Priority
New
Details
Details
Assignee
Pothys - MitrahSoft
Pothys - MitrahSoft
Reporter
Zac Spitzer
Zac Spitzer
Labels
New Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Sprint
Fix versions
Priority
New
Created 30 January 2025 at 23:55
Updated 14 February 2025 at 10:20
Resolved 14 February 2025 at 10:19
Activity
Show:
Pothys - MitrahSoft14 February 2025 at 10:19
I have tested this trick with Lucee version 6.2.1.25-SNAPSHOT. When I tried to invalidate the CSRF token by using the csrfVerifyToken() with the remove attribute, it now removes the csrfgenerated token from the session, and it works fine as expected.
Zac Spitzer11 February 2025 at 13:43
loader changes reverted in
adds a new sessionStoragePro interface
Zac Spitzer11 February 2025 at 12:55Edited
oops, I just noticed this changes the loader…addressing with
Zac Spitzer11 February 2025 at 12:45
Zac Spitzer31 January 2025 at 00:21
The only way to currently invalidate a CSRF token is to generate a new token for the same key
This has several problems,
the session’s list of tokens can grow unbounded (i.e. memory/storage if heavily used)
tokens can be reused (which is ok, when a form is resubmitted, depending on the app)
regenerating doesn’t reduce the size of the pool
Add a third argument remove (default false, existing behaviour), which will remove the token, by key, regardless if the token is correct
csrfVerifyToken( token=token, key=key, remove=true )Now that will preserve on sessionRotate(), we may consider adding a CSRFClearTokens() type function