[RCD] Roundcube session management

Cor Bosman cor at xs4all.nl
Thu May 22 15:51:26 CEST 2014

>> If it your opinion that the login page has to be CSFR protected then OK. 
>> BUT I don't want to have sessions started just for CSFR prevention for ANY 
>> code which is executed in not authenticated state
> you refuse to understand how CSFR works
> * at the first call the server generates a token
> * the token is placed in a hidden filed
> * before take any action the submitted token is verified
>  against the one from the first request
> how do you genius imagine this works without storing the
> token in a session without start a session at all?
> hint: you can't do without

The attack vector for CSRF through login page is not as useful as any attack vector once you are logged in. I mean, you are not logged in yet, so you can’t really generate any attacks that compromise your security.

There are perhaps some attacks possible if someone that also has an account on the same roundcube instance tricks you into logging into an account they control, but then you’ll be logged into their account. The possibilities for security related problems are limited, but there could be some privacy implications. 

Maybe the roundcube devs can explain which attack vector they are trying to prevent by having CSRF on the login page.


More information about the dev mailing list