On Thu, Apr 30, 2015 at 12:05 PM, martijn.list martijn.list@gmail.com wrote:
On 04/30/2015 11:54 AM, Thomas Bruederli wrote:
On Thu, Apr 30, 2015 at 8:52 AM, martijn.list martijn.list@gmail.com wrote:
[...] Since the GET request is redone but now with the correct token added, to me it looks like checking the URL token for GET requests will not bring additional security because if the user clicks the "click here to try again" link, the request will be done anyway.
That's exactly the point: the user has to CLICK the link -> human interaction required.
I understand the concept although in practice I think most users would just click the link without understanding the implications.
That's actually fine or good enough respectively. We just have to insist on human interaction here and could not facilitate this by doing an automated redirect to the valid session url.
Is it possible to disable the secure URL check for certain pages and/or requests? Perhaps with a plugin? or is it all or nothing?
No it isn't, it's literally all or nothing. But what "certain pages" would you then like to exclude? Once you allow one, you loose protection against click-jacking.
If the secure URLs are enabled, the user can no longer open the webmail page using a general bookmark if the user is already logged-in.
I agree and that certainly is a downside of this improved security measure.
You might argue that if the user is already logged-in that the webmail is already open in some page but when you have a lot of open pages you might have forgotten that you already opened a page somewhere. If the user now clicks the bookmark, the failing security checks error message is shown. Is that a shop stopper? no but can be annoying for users who do not understand what it actually means.
For better understanding we recently changed the wording of the message into """ For your protection, access to this resource is secured against CSRF. If you see this, you probably didn't log out before leaving the web application.
Human interaction is now required to continue.
[Click here to resume your previous session] """
This will probably help to educate the users by properly logging out when leaving the webmail.
Of course we're open to suggestions how to further improve this.
Kind regards, Thomas