You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2022/12/14 10:21:14 UTC

[GitHub] [airflow] malthe opened a new issue, #28356: CSRF token should be expire with session

malthe opened a new issue, #28356:
URL: https://github.com/apache/airflow/issues/28356

   ### Apache Airflow version
   
   2.5.0
   
   ### What happened
   
   In the default configuration, the CSRF token [expires in one hour](https://pythonhosted.org/Flask-WTF/config.html#forms-and-csrf). This setting leads to frequent errors in the UI – for no good reason.
   
   
   ### What you think should happen instead
   
   A short expiration date for the CSRF token is not the right value in my view and I [agree with this answer](https://security.stackexchange.com/a/56520/22108) that the CSRF token should basically never expire, instead pegging itself to the current session.
   
   That is, the CSRF token should last as long as the current session. The easiest way to accomplish this is by generating the CSRF token from the session id.
   
   
   
   ### How to reproduce
   
   _No response_
   
   ### Operating System
   
   Linux
   
   ### Versions of Apache Airflow Providers
   
   _No response_
   
   ### Deployment
   
   Official Apache Airflow Helm Chart
   
   ### Deployment details
   
   _No response_
   
   ### Anything else
   
   _No response_
   
   ### Are you willing to submit PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk commented on issue #28356: CSRF token should be expire with session

Posted by GitBox <gi...@apache.org>.

potiuk commented on issue #28356:
URL: https://github.com/apache/airflow/issues/28356#issuecomment-1367881083

   Agree. I read a bit about it and there is no parrticular reason why CSRF should expire. Maybe you would like to take a stab on it @malthe  and achange it ?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk closed issue #28356: CSRF token should be expire with session

Posted by GitBox <gi...@apache.org>.

potiuk closed issue #28356: CSRF token should be expire with session
URL: https://github.com/apache/airflow/issues/28356


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org