Page expired error

Box Modules CBWIRE
1

If a page with a component states some time withtou activity, the next interaction gives a “419 page expired” error.

I think that this done by csrf. How can I configure it to have more time?

2

I believe by default a cb csrf token is good for 30 minutes. You should be able to adjust this in your cbcsrf module settings.

3

I see that the configuration is 30 minutes, but I don’t know why the error shows at 10 minutes.

4

@David_Sedeno I’ve noticed this issue myself ( although mine seems to last 15-20 minutes ). I’m working on chasing it down, and I’ll update this post once I have a fix in place.

5

@David_Sedeno @Robert_Z @Ancient_Programmer @MikeR @faxi05

Circling back, I could use some input on this. Currently CBWIRE 4 is using the cbCSRF module to generate CSRF tokens and verify them. As David and others have mentioned, this is causing issues because the default timeout for those tokens in the cbCSRF module is 30 minutes, and when the token expires, if you perform an action on your components, you get a Page Expired pop-up. The user then has to refresh the page to get a new token and continue on.

You can get around this by changing the rotationTimeout setting for the module in your Coldbox.cfc file. I’ve set it to 0 below which means it never times out.

moduleSettings = {
            "cbwire": {
                "autoInjectAssets": false
            },
            "cbcsrf": {
                "enableAutoVerifier" : false,
                "verifyExcludes": [],
                "rotationTimeout" : 0,
                "enableEndpoint": false,
                "enableAuthTokenRotator": false
            }
        };

This works but I still don’t like it. The timeout setting in the cbCSRF module doesn’t work like other timeouts in CFML where if there is some user activity, the timeout moves forward. It’s a hard timeout meaning if you set it to a 30 minute timeout, it will timeout exactly at 30 minutes regardless of user activity. What this results in is a big annoyance for users. They could be 30 minutes into your site, half-way through filling out a form, get that annoying pop-up, and have to refresh and start all over again.

We do need to keep the CSRF protections in place though, and setting the rotationTimeout to 0 is not ideal. So a question for the group…

Would it make more sense to have the CSRF tokens roll forward, meaning they only truly timeout after no user activity for a given amount of time? If so, I’ll probably need to remove the cbCSRF dependency from CBWIRE and we roll our own.

Thanks in advance for the input everyone and apologies to anyone I missed tagging in this. :slight_smile:

1 Like
6

I’ve run into this as well. I have a couple thoughts that maybe will spark some discussion

  • using cbcsrf (csrf) is great but the default timeout makes public facing pages and single page applications problematic.
    • Setting the cbcsrf "rotationTimeout" : 0 would seem ok for any application where you use cbauth and users are logged in since you can also enable "enableAuthTokenRotator" : true and all the csrf tokens will be rotated on login/logout
  • Livewire/laravel relies on server side logic as well as the checksum passed back and forth. I don’t think the cbwire checksum is being used at the moment and the value is really just a placeholder in the payload. I could be wrong if this has been added and I didn’t see it.
  • Locking data properties would also help with security. I see you have a github issue for this, Great!

Livewire/laravel discusses the combination of approaches used on their security page.

I have wires where csrf would be good, even if the tokens don’t rotate until the user logs out or in. I also have very simple wires where it may not be needed.

It also appears that the checksum generation and validation needs to be finsished since that would protect the payload and not cause a problem in any of my wires.

I don’t know if any of this helps, but I guess I need to stop slacking and contribute more! :slight_smile:

 

7

Also… Thanks @gcopley for all the hard work on CBWIRE.

2 Likes
8

I adjusted the rotationTimeout in my app to prevent it from timing out. I understand why it wouldn’t roll forward since the token has a TTL when it is created.

If tokens are set to never expire, maybe evict old tokens instead of trying to roll the TTL forward?

9

@MikeR Yep, you are right on the checksum, it’s just a placeholder for now :woozy_face:. Any chance you have the bandwidth to work on the checksum functionality? If not, no worries but thought I would ask.

1 Like
10

Absolutely. I have was just thinking the other day that I should ask you if there is anything particular you want me to tackle! I’ll dig a little deeper into Livewire for a minute to get a better understanding of how they are implementing it and then dig in!

1 Like
11

I submitted a pull request for this. Take a look and let me know any comments or suggestions.

Thanks again @gcopley for all your work on cbwire.