This is a static dump of issues in the old "Flyspray" bugtracker for DokuWiki. Bugs and feature requests
are now tracked at the issue tracker at Github.
This task was never closed in our old bug tracker.
Feel free to open a new task at Github if you feel this is still relevant.
FS#2795 Make CSRF tokens more random
Currently the CSRF tokens are only based on the session ID and the username. As DokuWiki isn't changing the session ID when a user logs in this means that the CSRF tokens might be vulnerable to session fixation attacks when an attacker knows a combination of a session id and a valid CSRF token for a certain user.
A more secure CSRF token could be composed of a random value that's stored in the session and the username. The random value could be generated during the initialization of DokuWiki if it doesn't exist already and then stored in $INFO so it's available also when the session has already been closed. Then a session fixation attack wouldn't work anymore if the session has expired since then and thus the random value would have been deleted already.
An alternative would be to store an additional random value in a cookie that has a relatively short lifetime (or simply a session cookie) and combine this random value from the cookie with the session id and the username. That way even with the same session the user would get a new CSRF token after some time.
Furthermore it would be good to change the session id on every permission change which would also solve the potential problem but might be more difficult because of all the external authentication mechanism.
Another convenience issue. It is very inconvenient if after a long time editing a page / completing a form, the submission is rejected because PHP has garbaged collected your session and the information required to verify your form submission is gone.