CSRF Validty?



  • Hi,

    I'd like to know how long the CSRF Cookie is valid and if there's a way to extend this time?

    The reason is, that I operate a forum for a couple of elder ladies. One of them, she's in her 70s, wanted to login to the forum. Despite we told her to register first, she visited the Login URL and tried to register there. Of course this didn't work, so she took a photo, sent this to my wife by whatzapp, we made a couple of calls, she did the very same thing again a couple of times. Until she realized she had the wrong URL, more than 45 minutes went by. Finally she visited the register URL, but then, after clicking on the Register button, an error occured that the session is invalid. In the URL you could see something like ?csrf=invalid (or something like this, I don't have a screenshot of this).

    So, the solution was finally, to visit the main page again, do a shift-Reload (which was some kind of adventure, since she didn't even know where the reload icon resides in her browser, or even what browser she's using), go to the Register page, enter the data as fast as possible and submit. Note, that just shift-Reloading the Register page had no effect.

    So, it would help a lot in my case if the CSRF validation in nodebb would be a little bit more relaxed.

    best,
    Tom



  • One more thing: some of the users get this annoying message "Looks like your connection to NodeBB was lost, please wait while we try to reconnect" all the time, even while she's posting something. What's the point of that message anyway?

    I mean, this is JS Code running on a client device. My users are not hipsters sitting with their latest apple gear in Berlin Prenzlauerberg, they are elder ladies with next to no IT knowhow. What is a user supposed to do when such a message appears?

    Good software should not bother its users with such stuff. Your socket went away? Just reconnect already. Try it multiple times. And if nothing works, tell the user what happened, what you tried and what the user can do next.

    Not just "lost connection". Hell, even I as the admin of the forum am unable to do anything about this.

    This is what I see in the log:

    2018-02-18T15:42:37.964Z [7934] - error: /login invalid csrf token

    What am I supposed to do?

    Tom

    PS: sorry for ranting, nothing personal, just annoying to have couple of old people whining about errors impossible to fix or even analyse...



  • @tlinden said in CSRF Validty?:

    One more thing: some of the users get this annoying message "Looks like your connection to NodeBB was lost, please wait while we try to reconnect" all the time, even while she's posting something. What's the point of that message anyway?

    I mean, this is JS Code running on a client device. My users are not hipsters sitting with their latest apple gear in Berlin Prenzlauerberg, they are elder ladies with next to no IT knowhow. What is a user supposed to do when such a message appears?

    Good software should not bother its users with such stuff. Your socket went away? Just reconnect already. Try it multiple times. And if nothing works, tell the user what happened, what you tried and what the user can do next.

    Not just "lost connection". Hell, even I as the admin of the forum am unable to do anything about this.

    This is what I see in the log:

    2018-02-18T15:42:37.964Z [7934] - error: /login invalid csrf token

    What am I supposed to do?

    Tom

    PS: sorry for ranting, nothing personal, just annoying to have couple of old people whining about errors impossible to fix or even analyse...

    The connection lost message generally occurs if the URL value in your config file isn't the same as what the URL you are using.



  • The URL in the config is the same, I already checked this. The message appears nevertheless from time to time and for some users regularly. I had the error too a couple of times, while everything else were fine (my internet, active downloads, dns ok, server reachable, load 0, apache running, nodebb running and reachable by telnet). I needed to hit shift+Reload then it worked again.

    The problem here is the client-side JS, which doesn't produce recognizable error messages and seems to be too impatient. The same problem happens if the login takes too long, if the page stays too long opened and from time to time at pure random occurrences while browsing or editing.

    Tom



  • The connection lost thing happens all the time in Firefox if you task out to something else, or switch to another tab, and then return to the tab later.
    It is annoying as fuck when I leave a tab open to a NodeBB site and then not return to it for hours. It keeps reflashing up.

    I force reload the page to get around it.


  • Admin

    Hang on... the CSRF token shouldn't expire. Unless I'm remembering incorrectly (which is entirely possible), it is generated on each page load and expires when used or when the session it is tied to is ended. We use csurf, so some of it is behind a black box, but it's worked like that so far.

    If it is expiring sooner than expected, then the problem isn't with the token expiring, it's with the server forgetting that it exists. You mentioned this and also that you get the "reconnecting" messaging periodically. This suggests that your NodeBB is crashing and restarting, causing all generated CSRF tokens to instantly expire.

    Check server-side logging?



  • Well, that was what I suspected as well, so I've setup monitoring of the process. Also, it runs with daemontools, which logs when it has restarted the nodebb service. The result so far is, that it IS restarting nodebb sometimes but only once every couple days. The same applies for mongodb, which I had under suspicion as well, but it runs very stable without any hickups.

    I wonder if there's some way to debug this, like adding the CSRF token to the error message so I can compare it with what is in the database. Would that be possible?


  • Admin

    You can try changing line 41 in src/controllers/errors.js to read

    winston.error(req.path + '\n', err.message + '\ncsrfToken:' + req.csrfToken);

    Though I'd check the output of the server to see what stack trace pops up when it crashes/restarts.

    Mongo restarting shouldn't cause issues, NodeBB reconnects automatically unless it's down for an extended period.


 

| |