[BlueOnyx:24994] Re: CSRF mismatch

Michael Stauber mstauber at blueonyx.it
Tue Jul 13 14:53:41 -05 2021 

Hi all,

Earlier I wrote:
> I'll revise the mechanism once again and will force session expiry at
> the end of the Wizard so that you'll always have to take the round trip
> via the login page instead of going directly from Wizard to >
> /swupdate/news without authentication.

I just checked the CSRF stuff in base-wizard and tried a few things to
get this cow off the ice.

After thinking it through I came to the conclusion that the CSRF issue
that some people run into at the end of the Wizard is not really what I
initially thought it was. But it's related:

Cookies have an expiry date. CSRF cookies are valid for 7200 seconds by
default. During the initial setup we don't yet have an NTP server
configured and whatever time zone we're using is anyone's best guess.
The server date and time might be horribly off as well. Either it's in
the past, or the future. Any set cookies might therefore be invalid.

At the end of the Wizard the GUI configures whatever date/time and
Timezone you had chosen in the Wizard. It also sets the authentication
cookies and the CSRF cookie and then redirects you to /gui (which sets
fresh cookies again), which in turn redirects you to /swupdate/news

The change of server date and time is a bit problematic for any GUI set
cookies. The short validity period of the CSRF cookies makes this even a
bigger issue.

To improve things I modified base-wizard to automatically enable NTPd
and to tie a freshly installed server into pool.ntpd.org and we also set
the default server time zone 'US/Eastern'.

That means: On a freshly installed server upon first boot NTPd will be
enabled and by the time you get to the GUI Wizard the server will
already have the correct date and time. So you perhaps only need to
change the timezone to the one you actually want to use. Which is a hell
of a lot less problematic as far as cookies go.

I'll be rolling up new ISOs for 5209R and 5210R today that already have
these updates.

Footnote: I just published another YUM update. If you have the Epel YUM
repository configs installed on 5209R or 5210R, then Active Monitor will
make damn well sure that Epel is disabled and remains disabled. A YUM
update of a 5209R or 5210R against Epel breaks so much stuff that it
really isn't funny anymore.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list