Ticket #478 (closed enhancement: fixed)

Opened 2 years ago

Last modified 17 months ago

jforms: support of protection against CSRF

Reported by: laurentj Owned by: laurentj
Priority: highest Milestone: jelix 1.1
Component: jelix:forms Version: 1.0.2
Severity: major Keywords:
Cc: Php version:
Review: Hosting Provider:
Blocked By: Documentation needed: no
Blocking:

Description

for CSRF, see http://fr.wikipedia.org/wiki/Cross-Site_Request_Forgeries.

We could have an attribute in a jform file, to says if we want to activate CSRF protection. So a token will be generated during the creation of the form, and its validity will be checked.

Change History

Changed 2 years ago by laurentj

  • owner set to laurentj
  • priority changed from normal to highest
  • status changed from new to assigned
  • milestone set to Jelix 1.1 beta 1

Changed 2 years ago by bballizlife

Why not having this protection activated by default ?

Changed 2 years ago by laurentj

  • milestone changed from Jelix 1.1 beta 1 to Jelix 1.1 beta 2

Changed 22 months ago by bibo

see also this recent research paper on CSRF attacks (see login attacks) and counter-measures adviced : http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf

Changed 22 months ago by laurentj

  • milestone changed from Jelix 1.1 beta 2 to jelix 1.1

Milestone Jelix 1.1 beta 2 deleted

Changed 21 months ago by laurentj

  • status changed from assigned to closed
  • resolution set to fixed
  • docneeded set

Done.

Added a new xml attribute allowAnyOrigin on the root element to disable it, and a new jFormsBase::securityLevel property.

svn 1167

Changed 17 months ago by laurentj

  • docneeded unset

doc done http://jelix.org/articles/en/manual-1.1/jforms/security

Note: See TracTickets for help on using tickets.