TimeTracker/docs/admin/security/CSRF_IP_ACCESS_GUIDE.md at eb0cd0005e406677e46bad58dca5f4ea8f353111

mirror of https://github.com/DRYTRIX/TimeTracker.git synced 2026-01-20 11:29:57 -06:00

Files

Dries Peeters 29f7186ee8 docs: Reorganize documentation structure for better navigation

Complete reorganization of project documentation to improve discoverability,
navigation, and maintainability. All documentation has been restructured into
a clear, role-based hierarchy.

## Major Changes

### New Directory Structure
- Created `docs/api/` for API documentation
- Created `docs/admin/` with subdirectories:
  - `admin/configuration/` - Configuration guides
  - `admin/deployment/` - Deployment guides
  - `admin/security/` - Security documentation
  - `admin/monitoring/` - Monitoring and analytics
- Created `docs/development/` for developer documentation
- Created `docs/guides/` for user-facing guides
- Created `docs/reports/` for analysis reports and summaries
- Created `docs/changelog/` for detailed changelog entries (ready for future use)

### File Organization

#### Moved from Root Directory (40+ files)
- Implementation notes → `docs/implementation-notes/`
- Test reports → `docs/testing/`
- Analysis reports → `docs/reports/`
- User guides → `docs/guides/`

#### Reorganized within docs/
- API documentation → `docs/api/`
- Administrator documentation → `docs/admin/` (with subdirectories)
- Developer documentation → `docs/development/`
- Security documentation → `docs/admin/security/`
- Telemetry documentation → `docs/admin/monitoring/`

### Documentation Updates

#### docs/README.md
- Complete rewrite with improved navigation
- Added visual documentation map
- Organized by role (Users, Administrators, Developers)
- Better categorization and quick links
- Updated all internal links to new structure

#### README.md (root)
- Updated all documentation links to reflect new structure
- Fixed 8 broken links

#### app/templates/main/help.html
- Enhanced "Where can I get additional help?" section
- Added links to new documentation structure
- Added documentation index link
- Added admin documentation link for administrators
- Improved footer with organized documentation links
- Added "Complete Documentation" section with role-based links

### New Index Files
- Created README.md files for all new directories:
  - `docs/api/README.md`
  - `docs/guides/README.md`
  - `docs/reports/README.md`
  - `docs/development/README.md`
  - `docs/admin/README.md`

### Cleanup
- Removed empty `docs/security/` directory (moved to `admin/security/`)
- Removed empty `docs/telemetry/` directory (moved to `admin/monitoring/`)
- Root directory now only contains: README.md, CHANGELOG.md, LICENSE

## Results

**Before:**
- 45+ markdown files cluttering root directory
- Documentation scattered across root and docs/
- Difficult to find relevant documentation
- No clear organization structure

**After:**
- 3 files in root directory (README, CHANGELOG, LICENSE)
- Clear directory structure organized by purpose and audience
- Easy navigation with role-based organization
- All documentation properly categorized
- Improved discoverability

## Benefits

1. Better Organization - Documentation grouped by purpose and audience
2. Easier Navigation - Role-based sections (Users, Admins, Developers)
3. Improved Discoverability - Clear structure with README files in each directory
4. Cleaner Root - Only essential files at project root
5. Maintainability - Easier to add and organize new documentation

## Files Changed

- 40+ files moved from root to appropriate docs/ subdirectories
- 15+ files reorganized within docs/
- 3 major documentation files updated (docs/README.md, README.md, help.html)
- 5 new README index files created
- 2 empty directories removed

All internal links have been updated to reflect the new structure.

2025-12-14 07:56:07 +01:00

6.7 KiB

Raw Blame History

Problem

When accessing the TimeTracker application:

✅ Works fine via http://localhost:8080
❌ CSRF cookie not created when accessing via IP address (e.g., http://192.168.1.100:8080)

Root Cause

The issue occurs due to browser cookie security policies and Flask's CSRF protection settings:

WTF_CSRF_SSL_STRICT: When set to true (default in production), Flask-WTF rejects cookies from non-HTTPS connections that it considers "insecure"
SESSION_COOKIE_SECURE: When set to true, cookies are only sent over HTTPS, blocking HTTP access via IP
SameSite Policy: Browsers treat localhost and IP addresses differently for cookie SameSite policies

Quick Fix

Option 1: Environment Variables (Recommended)

Add these to your .env file:

# Disable SSL strict mode for HTTP access
WTF_CSRF_SSL_STRICT=false

# Ensure cookies work over HTTP
SESSION_COOKIE_SECURE=false
CSRF_COOKIE_SECURE=false

# Optional: Adjust SameSite if needed
SESSION_COOKIE_SAMESITE=Lax
CSRF_COOKIE_SAMESITE=Lax

Then restart the application:

docker-compose restart app

Option 2: Docker Compose Override

Create or update docker-compose.override.yml:

services:
  app:
    environment:
      - WTF_CSRF_SSL_STRICT=false
      - SESSION_COOKIE_SECURE=false
      - CSRF_COOKIE_SECURE=false
      - SESSION_COOKIE_SAMESITE=Lax

Restart:

docker-compose up -d

Detailed Explanation

WTF_CSRF_SSL_STRICT

This Flask-WTF setting controls whether CSRF protection rejects requests it considers insecure:

true (default in production): Rejects cookies from HTTP on non-localhost addresses
false: Allows cookies over HTTP (needed for IP access without HTTPS)

When to use false:

Development/testing environments
Local network access via IP address
When HTTPS is not configured

When to use true:

Production with HTTPS enabled
Public-facing applications
Maximum security requirements

SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE:

true: Cookies only sent over HTTPS (blocks HTTP access)
false: Cookies sent over HTTP and HTTPS

SameSite Policy

Controls when browsers send cookies:

Strict: Cookie only sent for same-site requests (most restrictive)
Lax (default): Cookie sent for same-site and top-level navigation
None: Cookie sent with all requests (requires Secure flag)

Testing

1. Check Current Settings

docker-compose exec app env | grep -E "(CSRF|SESSION_COOKIE|WTF)"

Open browser DevTools (F12)
Go to Application → Cookies
Navigate to your app (via IP address)
Look for these cookies:
- session - Session cookie
- XSRF-TOKEN - CSRF token cookie

3. Test CSRF Token Endpoint

# Via localhost (should work)
curl -v http://localhost:8080/auth/csrf-token

# Via IP address (should also work after fix)
curl -v http://192.168.1.100:8080/auth/csrf-token

Look for Set-Cookie headers in the response.

Security Considerations

Development vs Production

Development (HTTP access via IP):

WTF_CSRF_SSL_STRICT=false
SESSION_COOKIE_SECURE=false
CSRF_COOKIE_SECURE=false

Production (HTTPS with domain):

WTF_CSRF_SSL_STRICT=true
SESSION_COOKIE_SECURE=true
CSRF_COOKIE_SECURE=true

Risk Assessment

Setting WTF_CSRF_SSL_STRICT=false:

✅ Safe for: Local networks, development, testing
⚠️ Risk for: Public internet without HTTPS
❌ Never: Production with sensitive data over HTTP

Best Practices

Use HTTPS in Production: Always enable HTTPS for production deployments
Separate Configs: Use different settings for dev/prod environments
Network Security: If using HTTP, ensure network is trusted (VPN, local network)
Monitor Logs: Watch for CSRF failures in application logs

Alternative Solutions

Solution 1: Use a Domain Name

Instead of accessing via IP, use a domain name:

# Add to /etc/hosts (Linux/Mac) or C:\Windows\System32\drivers\etc\hosts (Windows)
192.168.1.100 timetracker.local

# Access via domain
http://timetracker.local:8080

Solution 2: Enable HTTPS

Set up HTTPS with a self-signed certificate for local development:

# Generate self-signed certificate
openssl req -x509 -newkey rsa:4096 -nodes \
  -keyout key.pem -out cert.pem -days 365 \
  -subj "/CN=192.168.1.100"

# Update docker-compose to use HTTPS
# Then set:
WTF_CSRF_SSL_STRICT=true
SESSION_COOKIE_SECURE=true

Solution 3: Disable CSRF (Development Only)

⚠️ Only for isolated development environments:

WTF_CSRF_ENABLED=false

Never use this in production or with real data!

Troubleshooting

Check 1: Verify environment variables are loaded

docker-compose exec app env | grep WTF_CSRF_SSL_STRICT

Check 2: Restart the container

docker-compose restart app

Check 3: Check application logs

docker-compose logs app | tail -50

Issue: CSRF Token Works but Form Fails

This is different from cookie creation. Check:

Token in HTML form: View page source and search for csrf_token
Token in request: Browser DevTools → Network → Form Data
Token expiration: Increase WTF_CSRF_TIME_LIMIT

Issue: Works on Chrome but not Firefox/Safari

Different browsers have different cookie policies:

Try disabling enhanced tracking protection
Check browser console for cookie warnings
Use consistent SameSite settings

Configuration Examples

Local Development (HTTP, IP Access)

# .env
FLASK_ENV=development
WTF_CSRF_ENABLED=true
WTF_CSRF_SSL_STRICT=false
SESSION_COOKIE_SECURE=false
CSRF_COOKIE_SECURE=false
SESSION_COOKIE_SAMESITE=Lax
CSRF_COOKIE_SAMESITE=Lax

Production (HTTPS, Domain)

# .env
FLASK_ENV=production
WTF_CSRF_ENABLED=true
WTF_CSRF_SSL_STRICT=true
SESSION_COOKIE_SECURE=true
CSRF_COOKIE_SECURE=true
SESSION_COOKIE_SAMESITE=Strict
CSRF_COOKIE_SAMESITE=Strict

Testing (Disable CSRF)

# .env (isolated test environment only!)
FLASK_ENV=development
WTF_CSRF_ENABLED=false

Summary

The core issue: WTF_CSRF_SSL_STRICT=true (default) blocks cookie creation for HTTP access via IP addresses.

The solution: Set WTF_CSRF_SSL_STRICT=false when accessing via IP without HTTPS.

For production: Always use HTTPS with proper domain names and keep strict settings enabled.

Last Updated: October 2024
Applies To: TimeTracker v1.0+

6.7 KiB Raw Blame History

CSRF Cookie Issues with Remote IP Access