#707 - Support security tokens on POST forms

By Chris Graham
Added 28th Jul 2012, 4:20 PM
6 views

Identifier	#707
Issue type	Feature request or suggestion
Title	Support security tokens on POST forms
Status	Completed
Handling member	Chris Graham
Addon	core
Description	A security tactic is to force time-limited security tokens for POST forms, so that CSRF attacks cannot be used to perform malicious website requests. Composr has referrer testing, but if the user has referrers disabled then their security will be diminished. Also, if a hacker somehow has access to another part of the domain the referrer check would pass. Security tokens should be optional, perhaps with a white-list of pages that don't have them. This is so people can make their own POSTed forms without having to be a PHP programmer.
Steps to reproduce
Funded?	No

The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".

Rating

Unrated

Comments

By Guest posted 24th Nov 2014, 5:43 PM

Implemented this, but not quite as described. The security tokens are simply the session IDs. This has the advantage of not breaking the back button as the token can be re-used, having a much simpler implementation (no new DB table, for example), and being more robust. If the session ID was stolen, it is a theoretically weaker solution, but stealing of session IDs is already a major risk in itself and something we specifically guard against.

There is an option for configuring what pages to not use this with, in case external integrations are required that do not have access to the session ID.

#707 - Support security tokens on POST forms

Rating

Comments

Statistics