[RCD] Roundcube session management

Cor Bosman cor at xs4all.nl
Thu May 22 16:12:02 CEST 2014


>>> 
>>> hint: you can't do without
>> 
>> Maybe the roundcube devs can explain which attack vector they are trying 
>> to prevent by having CSRF on the login page
> 
> i am not a roundcube dev but my job is development and security
> 
> * if you don't pass the token verification no login code is running
> * the login in case of roundcube implies network connections
> * the login in case of roundcube affects also the mailserver
> 
> the django project thought the same as you:
> https://www.djangoproject.com/weblog/2013/sep/15/security/
> 
> conclusion:
> whereever it is possible protect any expensive action
> with tokens, there are people out there thinking day
> and night how they can abuse things nobody imagines
> how they can be abused until it happened

The only attack vector I see is that you can be fooled into thinking you’re in your own account, while in fact you’re logged into someone else’s account. That still doesn’t compromise your account, but you could perhaps be fooled into giving away some privacy. 

Anyways, im not advocating not having CSRF tokens on the login page, but it can be problematic to have sessions started in the login page in the use case I explained with many servers being health checked. I was able to work around it, so i personally dont see it is a huge problem to keep the sessions.

And I agree one should not use http into roundcube to run cron jobs :)  Just check out some of the scripts in bin/ and use the clisetup.php to run tasks.

Cor



More information about the dev mailing list