developer.jelix.org is not used any more and exists only for history. Post new tickets on the Github account.
developer.jelix.org n'est plus utilisée, et existe uniquement pour son historique. Postez les nouveaux tickets sur le compte github.

Opened 13 years ago

Closed 12 years ago

Last modified 12 years ago

#478 closed enhancement (fixed)

jforms: support of protection against CSRF

Reported by: laurentj Owned by: laurentj
Priority: highest Milestone: jelix 1.1
Component: jelix:forms Version: 1.0.2
Severity: major Keywords:
Cc: Blocked By:
Blocking: Documentation needed: no
Hosting Provider: Php version:

Description

for CSRF, see http://fr.wikipedia.org/wiki/Cross-Site_Request_Forgeries.

We could have an attribute in a jform file, to says if we want to activate CSRF protection. So a token will be generated during the creation of the form, and its validity will be checked.

Change History (7)

comment:1 Changed 12 years ago by laurentj

  • Milestone set to Jelix 1.1 beta 1
  • Owner set to laurentj
  • Priority changed from normal to highest
  • Status changed from new to assigned

comment:2 Changed 12 years ago by bballizlife

Why not having this protection activated by default ?

comment:3 Changed 12 years ago by laurentj

  • Milestone changed from Jelix 1.1 beta 1 to Jelix 1.1 beta 2

comment:4 Changed 12 years ago by bibo

see also this recent research paper on CSRF attacks (see login attacks) and counter-measures adviced : http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf

comment:5 Changed 12 years ago by laurentj

  • Milestone changed from Jelix 1.1 beta 2 to jelix 1.1

Milestone Jelix 1.1 beta 2 deleted

comment:6 Changed 12 years ago by laurentj

  • Documentation needed set
  • Resolution set to fixed
  • Status changed from assigned to closed

Done.

Added a new xml attribute allowAnyOrigin on the root element to disable it, and a new jFormsBase::securityLevel property.

svn 1167

comment:7 Changed 12 years ago by laurentj

  • Documentation needed unset
Note: See TracTickets for help on using tickets.