Uploaded image for project: 'Identity Provider'
  1. Identity Provider
  2. IDP-1191

Add XSRF mitigation to form processing actions

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.0.0
    • Labels:
      None
    • Operating System:
      Multiple

      Description

      We don't currently have any XSRF mitigations.

      It would be possible to explore doing this by overriding the flow execution keys with something random, but it's difficult to prevent those from showing up on the URLs.

      An alternative would be to hit all of our view states and have them generate and insert a token into the views, store it in the PRC, and then rebase some of the action beans on a base class that checks for the token.

      That would require modifying views but we could add this as a property defaulting off in 3.4 and then default it on in 4.0.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              philip.smart@corp.jisc.ac.uk Philip Smart
              Reporter:
              cantor.2@osu.edu Scott Cantor
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - Not Specified
                  Not Specified
                  Logged:
                  Time Spent - 4 weeks, 2 days, 7 hours
                  4w 2d 7h