RFC: Securing authentication tokens #216

New Issue

Closed

opened 2026-02-04 17:53:35 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2026-02-04 17:53:35 +03:00

Owner

Copy Link

Originally created by @SimonTagne on GitHub (Aug 2, 2022).

Hello !

Here are a few thoughts about the security of authentication tokens:

1. The cookie is not marked as secure. If planka is served over https, the cookie should be marked secure to avoid sending the authentication token over an unencrypted connection. I think a reasonable way to check this is wether BASE_URL (or the current browser location) starts with "https".
2. The cookie has no SameSite attribute. Since the authentication cookie is not needed to load the front-end, it would make sense to set SameSite=Strict to mitigate CSRF.
3. Changing a user's password does not invalidate the token. If an authentication token is compromised (lost device, logged in on an untrusted computer, ...), there is no way to revoke a token since it only contains the user id. A solution would be to save the time of the last password change for each user in the DB, add a timestamp when generating authentication tokens and only accept tokens issued after the last password change.
4. The authentication token never expires. The browser will forget about the cookie after 365 days, but the token remains valid on the server indefinitely. Adding an issue or expiration timestamp in the token could solve this problem. IMHO the session duration should also be a setting rather than hard-coded to 365 days.

What do you think about that ? I would be happy to implement the measures I described above :)

Thank you for making planka !

Originally created by @SimonTagne on GitHub (Aug 2, 2022). Hello ! Here are a few thoughts about the security of authentication tokens: 1. The cookie is not marked as secure. If planka is served over https, the cookie should be marked secure to avoid sending the authentication token over an unencrypted connection. I think a reasonable way to check this is wether `BASE_URL` (or the current browser location) starts with `"https"`. 2. The cookie has no SameSite attribute. Since the authentication cookie is not needed to load the front-end, it would make sense to set SameSite=Strict to mitigate CSRF. 3. Changing a user's password does not invalidate the token. If an authentication token is compromised (lost device, logged in on an untrusted computer, ...), there is no way to revoke a token since it only contains the user id. A solution would be to save the time of the last password change for each user in the DB, add a timestamp when generating authentication tokens and only accept tokens issued after the last password change. 4. The authentication token never expires. The browser will forget about the cookie after 365 days, but the token remains valid on the server indefinitely. Adding an issue or expiration timestamp in the token could solve this problem. IMHO the session duration should also be a setting rather than hard-coded to 365 days. What do you think about that ? I would be happy to implement the measures I described above :) Thank you for making planka !

OVERLORD closed this issue 2026-02-04 17:53:38 +03:00

OVERLORD commented 2026-02-04 17:53:44 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Aug 3, 2022):

Hi! You are absolutely right on every point. Already looking forward to a pull request. Thank you 🙏

@meltyshev commented on GitHub (Aug 3, 2022): Hi! You are absolutely right on every point. Already looking forward to a pull request. Thank you 🙏

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

gh-pages

dependabot/npm_and_yarn/multi-795903f3f3

dependabot/npm_and_yarn/server/multi-60f2582fdd

dependabot/npm_and_yarn/client/qs-6.14.2

dependabot/npm_and_yarn/client/markdown-it-14.1.1

v2.0.2

planka-2.0.2

v2.0.1

planka-2.0.1

v2.0.0

planka-2.0.0

planka-1.1.2

planka-1.1.1

planka-1.1.0

planka-1.0.5

planka-1.0.4

v2.0.0-rc.4

v1.26.3

planka-0.2.26

planka-1.0.3

planka-1.0.2

v2.0.0-rc.3

planka-1.0.1

planka-1.0.0

v2.0.0-rc.2

planka-0.2.25

v1.26.2

v1.26.1

planka-0.2.24

v1.26.0

planka-0.2.23

v1.25.1

planka-0.2.22

v1.25.0

planka-0.2.21

v1.24.4

planka-0.2.20

v1.24.3

planka-0.2.19

planka-0.2.18

v1.24.2

planka-0.2.17

planka-0.2.16

v1.24.1

planka-0.2.15

v1.24.0

planka-0.2.14

v1.23.5

v1.23.4

planka-0.2.13

planka-0.2.12

v1.23.3

planka-0.2.11

v1.23.2

planka-0.2.10

v1.23.1

planka-0.2.9

v1.23.0

v1.22.0

planka-0.2.8

Labels

Clear labels

bug

bug

documentation

documentation

duplicate

enhancement

good first issue

help wanted

pull-request

Mirrored from GitHub Pull Request

question

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/planka#216