Nethserver Update Fails with Server error Nethgui: 400 - Bad Request


(Emiliano Vavassori) #42

Good news to me :+1: . Session lifetime seems to be really “safe” from the user POV anyways (1 hour on idle and 8 hours of total lifetime is a quite permissive approach to session expiration, IMHO), but I understand the point.

A wise choice, as always. I think 5 actions per session may be a little low (think about adding many NATs or firewall rules/objects, which you may choose to open in two different tabs for simplicity); a configurable threshold may be much more fitted IMHO (you can raise it if it bothers you when you are administering stuff, then bring it back to the default at the end of the task in case), but once you know the security issue and why it was implemented so you can surely bare with it anyways.

Thanks for your involvement and support, much appreciated as usual.

(Davide Principi) #43

Just to clarify, the limit of 5 refers to simultaneously opened pages. Each time a full HTML page is requested a new CSRF token is generated. The session records the last 5 tokens so that any AJAX request containing one of them can be validated.

When you work on the same HTML page the token does not change.