Skip to content

Commit 0dfb2a9

Browse files
jclausenjclausen
committed
BOX-166 Resolve - implement timeout skew and range
1 parent b9bbda4 commit 0dfb2a9

3 files changed

Lines changed: 21 additions & 6 deletions

File tree

ModuleConfig.cfc

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,8 @@ component {
3636
// By default, all csrf tokens have a life-span of 30 minutes. After 30 minutes, they expire and we aut-generate new ones.
3737
// If you do not want expiring tokens, then set this value to 0
3838
rotationTimeout : 30,
39+
// The interval in seconds within which, if a token's expiration is impending, we force generate new token for the user.
40+
timeoutSkew : 60,
3941
// Enable the /cbcsrf/generate endpoint to generate cbcsrf tokens for secured users.
4042
enableEndpoint : false,
4143
// The WireBox mapping to use for the CacheStorage

models/cbcsrf.cfc

Lines changed: 17 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -60,12 +60,7 @@ component accessors="true" singleton {
6060
// Is it a new key?
6161
!csrfData.keyExists( arguments.key ) ||
6262
// Has the token expired?
63-
(
64-
csrfData[ arguments.key ].expires != "never" && dateCompare(
65-
now(),
66-
csrfData[ arguments.key ].expires
67-
) == 1
68-
)
63+
tokenInExpiryRange( csrfData[ arguments.key ] )
6964
) {
7065
// Generate a new token
7166
csrfData[ arguments.key ] = {
@@ -87,6 +82,22 @@ component accessors="true" singleton {
8782
return csrfData[ arguments.key ].token;
8883
}
8984

85+
86+
/**
87+
* Determines if the token is within the expiry range
88+
* @tokenData The token data struct
89+
*
90+
* @return True if the token is within the expiry range
91+
*/
92+
private boolean function tokenInExpiryRange( required struct tokenData ) {
93+
if ( tokenData.expires == "never" ) {
94+
return false;
95+
}
96+
97+
var secondsToExpiry = dateDiff( "s", now(), tokenData.expires );
98+
return secondsToExpiry <= variables.settings.timeoutSkew;
99+
}
100+
90101
/**
91102
* Validates the given token against the same stored in the session for a specific key.
92103
*

readme.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,8 @@ moduleSettings = {
7474
// By default, all csrf tokens have a life-span of 30 minutes. After 30 minutes, they expire and we aut-generate new ones.
7575
// If you do not want expiring tokens, then set this value to 0
7676
rotationTimeout : 30,
77+
// The interval in seconds within which, if a token's expiration is impending, we force generate new token for the user.
78+
timeoutSkew : 120,
7779
// Enable the /cbcsrf/generate endpoint to generate cbcsrf tokens for secured users.
7880
enableEndpoint : false,
7981
// The WireBox mapping to use for the CacheStorage

0 commit comments

Comments
 (0)