nextcloud/lib
Christoph Wurst 87aeae21e3
Fix failing csp/nonce check due to timed out session
The CSP nonce is based on the CSRF token. This token does not change,
unless you log in (or out). In case of the session data being lost,
e.g. because php gets rid of old sessions, a new CSRF token is gen-
erated. While this is fine in theory, it actually caused some annoying
problems where the browser restored a tab and Nextcloud js was blocked
due to an outdated nonce.
The main problem here is that, while processing the request, we write
out security headers relatively early. At that point the CSRF token
is known/generated and transformed into a CSP nonce. During this request,
however, we also log the user in because the session information was
lost. At that point we also refresh the CSRF token, which eventually
causes the browser to block any scripts as the nonce in the header
does not match the one which is used to include scripts.
This patch adds a flag to indicate whether the CSRF token should be
refreshed or not. It is assumed that refreshing is only necessary
if we want to re-generate the session id too. To my knowledge, this
case only happens on fresh logins, not when we recover from a deleted
session file.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-09-04 17:29:26 +02:00
..
composer update autoloader 2017-09-04 11:59:00 +02:00
l10n [tx-robot] updated from transifex 2017-09-02 00:08:29 +00:00
private Fix failing csp/nonce check due to timed out session 2017-09-04 17:29:26 +02:00
public Merge pull request #6255 from nextcloud/email-meta-data 2017-08-26 18:53:52 +02:00
autoloader.php Revert "Add a magic wrapper to allow phpunit4 to run the code again " 2017-03-20 14:25:43 +01:00
base.php Use the guest.css for the maintenance page as well 2017-06-13 16:43:25 -05:00