Solved

Why is the CSRF framework have a minimum value of 10 minutes?

Forum|Forum|7 years ago
October 23, 2018
4 replies
1396 views

The OOTB CSRF Framework has a minimum value of 10 minutes configured by default and cannot be reduced to below this value. What is the logic behind this limitation? Would it be possible for an attacker to use the csrf token to perform an attack.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by Anselm_H_

I just have an educated guess... See /etc.clientlibs/clientlibs/granite/jquery/granite.js:// refreshing csrf token periodically

setInterval(function() {

getToken();

}, 300000);

This means that every 5 minutes the CSRF-Token gets refreshed in the Browser. So if you set the time below 10 minutes in the CSRFServlet there would be a risk that a valid Browser-Token is not valid anymore at backend. Values above 10 min are fine, because they will be refreshed every 5 min in the Browser.

arunpatidar

Community Advisor

Hi,

It is configured in OSGI console.

http://localhost:4502/system/console/configMgr/com.adobe.granite.csrf.impl.CSRFServlet

Arun Patidar

G

GR_SwaminathanAuthor

Yes, But WHY is it restricted to a minimum of 10 minutes?

smacdonald2008

Level 10

We have asked the team if anyone can provide more infor on the 10 min default value.

A

Anselm_H_Accepted solution

Level 2

I just have an educated guess... See /etc.clientlibs/clientlibs/granite/jquery/granite.js:// refreshing csrf token periodically

setInterval(function() {

getToken();

}, 300000);

This means that every 5 minutes the CSRF-Token gets refreshed in the Browser. So if you set the time below 10 minutes in the CSRFServlet there would be a risk that a valid Browser-Token is not valid anymore at backend. Values above 10 min are fine, because they will be refreshed every 5 min in the Browser.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded