Forums de discussion
AuthToken Time Limit
Jason Roscoe, modifié il y a 6 années.
AuthToken Time Limit
Junior Member Publications: 84 Date d'inscription: 23/10/08 Publications récentes
We are using Liferay 5.2.9 (in process of upgrading to DXP as well), but I have a question about the AuthToken used for CSRF prevention. We have the below set in our portal-ext.properties file:
auth.token.check.enabled=true
but our question is how long is this token valid for?
thanks!
auth.token.check.enabled=true
but our question is how long is this token valid for?
thanks!
Andrew Jardine, modifié il y a 6 années.
RE: AuthToken Time Limit
Liferay Legend Publications: 2416 Date d'inscription: 22/12/10 Publications récentes
Hi Jason,
As far as I know, there is no time limit on the token. The value is stored in the Session and if the check is enabled then it is checked. If you need to provide an expiration for the token then I think you will have to define your own implementation class using the property --
As far as I know, there is no time limit on the token. The value is stored in the Session and if the check is enabled then it is checked. If you need to provide an expiration for the token then I think you will have to define your own implementation class using the property --
#
# Set the authentication token class. This class must implement
# com.liferay.portal.security.auth.AuthToken. This class is used to prevent
# CSRF attacks. See http://issues.liferay.com/browse/LPS-8399 for more
# information.
#
auth.token.impl=com.liferay.portal.security.auth.SessionAuthToken
Jason Roscoe, modifié il y a 6 années.
RE: AuthToken Time Limit
Junior Member Publications: 84 Date d'inscription: 23/10/08 Publications récentes
The reason I ask is because on the below page, it says there is a limit:
http://www.liferaysavvy.com/2014/03/cross-site-request-forgery-csrf.html
Thanks!
http://www.liferaysavvy.com/2014/03/cross-site-request-forgery-csrf.html
This token validity for particular time after that token will be expired.
Thanks!
Andrew Jardine, modifié il y a 6 années.
RE: AuthToken Time Limit
Liferay Legend Publications: 2416 Date d'inscription: 22/12/10 Publications récentes
I suppose you could argue that there is an implicit time limit -- that being whatever you have your session expiration set to
Jason Roscoe, modifié il y a 6 années.
RE: AuthToken Time Limit
Junior Member Publications: 84 Date d'inscription: 23/10/08 Publications récentes
Ok. I was hoping to get a Liferay resource to answer that for sure .
thanks!
thanks!
Andrew Jardine, modifié il y a 6 années.
RE: AuthToken Time Limit
Liferay Legend Publications: 2416 Date d'inscription: 22/12/10 Publications récentes
I think they're, generally speaking, pretty busy guys. If you have an EE subscription you can always open a LESA to ask. If you don't, then your best bet (if you don't believe volunteers like me ) ... would be to just check out the source itself. Simplest way to track something like this down is to start (assuming you already have the portal source downloaded and available for reference) by look at the PropsKeys class. In there you will find the property you are referencing. 99.9999 % of the time the property member will be a capitalized version of the property key, and the dots replaced by underscores -- but I always check JUST in case one slips through. So ... this.is.my.property .. becomes THIS_IS_MY_PROPERTY. If you do a global search for said property you will find the references and then it's just a case of reading the code. In your case I found the checks in the impl class and I see nothing about an expiration -- just that it's placed into the session. So while I am always optimistic, I also always reserve a 0.1% chance that there is some secret magic that I haven't found, or perhaps a reference to the property that doesn't use the key -- on which case my assumption and/or guidance would be incorrect I suppose.
Liferay does generate tokens that expire, but from my experience these items are stored in the ticket table and use the TicketService portion of the api to do so. I see no references to that in the imply class, sooooo -- pretty sure it's just tied to the session.
Liferay does generate tokens that expire, but from my experience these items are stored in the ticket table and use the TicketService portion of the api to do so. I see no references to that in the imply class, sooooo -- pretty sure it's just tied to the session.
Jack Bakker, modifié il y a 6 années.
RE: AuthToken Time Limit
Liferay Master Publications: 978 Date d'inscription: 03/01/10 Publications récentes
ve haf vays of making u talk...