From 7a7f12a0c126522cb067de692af0950d46bf15fc Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Wed, 31 Oct 2012 18:37:59 +0100 Subject: Create only one CSRF token per session Before, the CSRF token expired every hour. We had a script in place which should refresh the token but this don't worked in every case. (Laptop sleeping etc.) With this commit, the token will only get once created for every session so that the "Token expired" warning shouldn't appear. --- core/js/requesttoken.js | 55 ------------------------------------------------- 1 file changed, 55 deletions(-) delete mode 100644 core/js/requesttoken.js (limited to 'core/js') diff --git a/core/js/requesttoken.js b/core/js/requesttoken.js deleted file mode 100644 index 0d78cd7e93b..00000000000 --- a/core/js/requesttoken.js +++ /dev/null @@ -1,55 +0,0 @@ -/** - * ownCloud - * - * @file core/js/requesttoken.js - * @brief Routine to refresh the Request protection request token periodically - * @author Christian Reiner (arkascha) - * @copyright 2011-2012 Christian Reiner - * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE - * License as published by the Free Software Foundation; either - * version 3 of the license, or any later version. - * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU AFFERO GENERAL PUBLIC LICENSE for more details. - * - * You should have received a copy of the GNU Affero General Public - * License along with this library. - * If not, see . - * - */ - -OC.Request = { - // the request token - Token: {}, - // the lifespan span (in secs) - Lifespan: {}, - // method to refresh the local request token periodically - Refresh: function(){ - // just a client side console log to preserve efficiency - console.log("refreshing request token (lifebeat)"); - var dfd=new $.Deferred(); - $.ajax({ - type: 'POST', - url: OC.filePath('core','ajax','requesttoken.php'), - cache: false, - data: { }, - dataType: 'json' - }).done(function(response){ - // store refreshed token inside this class - OC.Request.Token=response.token; - dfd.resolve(); - }).fail(dfd.reject); - return dfd; - } -} -// accept requesttoken and lifespan into the OC namespace -OC.Request.Token = oc_requesttoken; -OC.Request.Lifespan = oc_requestlifespan; -// refresh the request token periodically shortly before it becomes invalid on the server side -setInterval(OC.Request.Refresh,Math.floor(1000*OC.Request.Lifespan*0.93)), // 93% of lifespan value, close to when the token expires -// early bind token as additional ajax argument for every single request -$(document).bind('ajaxSend', function(elm, xhr, s){xhr.setRequestHeader('requesttoken', OC.Request.Token);}); -- cgit v1.2.3 From 393d2517ee6734c9540211edb714b3ec1324018f Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Wed, 31 Oct 2012 18:43:16 +0100 Subject: Change the requesttoken back to OC.EventSource.requesttoken --- core/js/eventsource.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'core/js') diff --git a/core/js/eventsource.js b/core/js/eventsource.js index 45c63715a7e..e3ad7e3a671 100644 --- a/core/js/eventsource.js +++ b/core/js/eventsource.js @@ -40,7 +40,7 @@ OC.EventSource=function(src,data){ dataStr+=name+'='+encodeURIComponent(data[name])+'&'; } } - dataStr+='requesttoken='+OC.Request.Token; + dataStr+='requesttoken='+OC.EventSource.requesttoken; if(!this.useFallBack && typeof EventSource !='undefined'){ this.source=new EventSource(src+'?'+dataStr); this.source.onmessage=function(e){ -- cgit v1.2.3