Create only one CSRF token per session

Before, the CSRF token expired every hour. We had a script in place
which should refresh the token but this don't worked in every case.
(Laptop sleeping etc.)

With this commit, the token will only get once created for every
session so that the "Token expired" warning shouldn't appear.

3 files changed, 6 insertions, 27 deletions

diff --git a/lib/base.php b/lib/base.php
index d7d5eef3256..87fb1644240 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -254,8 +254,6 @@ class OC{
 		OC_Util::addScript( "jquery-tipsy" );
 		OC_Util::addScript( "oc-dialogs" );
 		OC_Util::addScript( "js" );
-		// request protection token MUST be defined after the jquery library but before any $('document').ready()
-		OC_Util::addScript( "requesttoken" );
 		OC_Util::addScript( "eventsource" );
 		OC_Util::addScript( "config" );
 		//OC_Util::addScript( "multiselect" );
diff --git a/lib/template.php b/lib/template.php
index 1ad47cbe52c..caac6891cb8 100644
--- a/lib/template.php
+++ b/lib/template.php
@@ -172,7 +172,6 @@ class OC_Template{
 		$this->application = $app;
 		$this->vars = array();
 		$this->vars['requesttoken'] = OC_Util::callRegister();
-		$this->vars['requestlifespan'] = OC_Util::$callLifespan;
 		$parts = explode('/', $app); // fix translation when app is something like core/lostpassword
 		$this->l10n = OC_L10N::get($parts[0]);
 
@@ -391,7 +390,6 @@ class OC_Template{
 			$page = new OC_TemplateLayout($this->renderas);
 			if($this->renderas == 'user') {
 				$page->assign('requesttoken', $this->vars['requesttoken']);
-				$page->assign('requestlifespan', $this->vars['requestlifespan']);
 			}
 
 			// Add custom headers
diff --git a/lib/util.php b/lib/util.php
index de89e339d99..cb81f0a948c 100755
--- a/lib/util.php
+++ b/lib/util.php
@@ -473,17 +473,6 @@ class OC_Util {
 	}
 
 	/**
-	 * @brief Static lifespan (in seconds) when a request token expires.
-	 * @see OC_Util::callRegister()
-	 * @see OC_Util::isCallRegistered()
-	 * @description
-	 * Also required for the client side to compute the piont in time when to
-	 * request a fresh token. The client will do so when nearly 97% of the
-	 * timespan coded here has expired.
-	 */
-	public static $callLifespan = 3600; // 3600 secs = 1 hour
-
-	/**
 	 * @brief Register an get/post call. Important to prevent CSRF attacks.
 	 * @todo Write howto: CSRF protection guide
 	 * @return $token Generated token.
@@ -491,30 +480,24 @@ class OC_Util {
 	 * Creates a 'request token' (random) and stores it inside the session.
 	 * Ever subsequent (ajax) request must use such a valid token to succeed,
 	 * otherwise the request will be denied as a protection against CSRF.
-	 * The tokens expire after a fixed lifespan.
-	 * @see OC_Util::$callLifespan
 	 * @see OC_Util::isCallRegistered()
 	 */
 	public static function callRegister() {
 		// Check if a token exists
-		if(!isset($_SESSION['requesttoken']) || time() >$_SESSION['requesttoken']['time']) {
+		if(!isset($_SESSION['requesttoken'])) {
 			// No valid token found, generate a new one.
-			$requestTokenArray = array(
-				"requesttoken" => self::generate_random_bytes(20),
-				"time" => time()+self::$callLifespan,
-				);
-			$_SESSION['requesttoken']=$requestTokenArray;
+			$requestToken = self::generate_random_bytes(20);
+			$_SESSION['requesttoken']=$requestToken;
 		} else {
 			// Valid token already exists, send it
-			$requestTokenArray = $_SESSION['requesttoken'];
+			$requestToken = $_SESSION['requesttoken'];
 		}
-		return($requestTokenArray['requesttoken']);
+		return($requestToken);
 	}
 
 	/**
 	 * @brief Check an ajax get/post call if the request token is valid.
 	 * @return boolean False if request token is not set or is invalid.
-	 * @see OC_Util::$callLifespan
 	 * @see OC_Util::callRegister()
 	 */
 	public static function isCallRegistered() {
@@ -530,7 +513,7 @@ class OC_Util {
 		}
 
 		// Check if the token is valid
-		if(!isset($_SESSION['requesttoken']) || time() > $_SESSION['requesttoken']["time"]) {
+		if($token !== $_SESSION['requesttoken']) {
 			// Not valid
 			return false;
 		} else {