[TOBAGO-972] Implement a session secret to protect against cross-side request forgery (CSRF/XSRF) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.0.34
Component/s: None
Labels:
None

Description

The secret will be rendered in every page as an hidden field.
Each request will check the correct value to prove the validity of the request.
If the test fails, the lifecycle goes directly to the render response phase.

There are 2 values in the tobago-config.xml to configure:
create-session-secret: A secret will be created an rendered on every page.
check-session-secret: The secret will be checked.

If the application developer wants to use nothing of them, it can be switched off.

If the application developer wants to define a specific behavior, the creation may be switched on, but the check may be implemented in an application specific phase listener.

Defaults for Tobago 1.0.x:
create-session-secret: false
check-session-secret: false

Defaults for Tobago 1.5.x:
create-session-secret: true
check-session-secret: true

Attachments

Issue Links

relates to

TOBAGO-1319 SessionSecret will not be checked in 2.0.0 alpha

Closed

TOBAGO-1318 Meaning of TobagoConfig.isCheckSessionSecret() and isCreateSessionSecret() is inverted

Closed

Activity

People

Assignee:: Udo Schnurpfeil

Reporter:: Udo Schnurpfeil

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 07/Feb/11 13:03

Updated:: 08/Oct/13 11:31

Resolved:: 08/Feb/11 14:15