Implement a session secret to protect against cross-side request forgery
(CSRF/XSRF)
------------------------------------------------------------------------------------
Key: TOBAGO-972
URL: https://issues.apache.org/jira/browse/TOBAGO-972
Project: MyFaces Tobago
Issue Type: New Feature
Reporter: Udo Schnurpfeil
Assignee: Udo Schnurpfeil
The secret will be rendered in every page as an hidden field.
Each request will check the correct value to prove the validity of the request.
If the test fails, the lifecycle goes directly to the render response phase.
There are 2 values in the tobago-config.xml to configure:
create-session-secret: A secret will be created an rendered on every page.
check-session-secret: The secret will be checked.
If the application developer wants to use nothing of them, it can be switched
off.
If the application developer wants to define a specific behavior, the creation
may be switched on, but the check may be implemented in an application specific
phase listener.
Defaults for Tobago 1.0.x:
create-session-secret: false
check-session-secret: false
Defaults for Tobago 1.5.x:
create-session-secret: true
check-session-secret: true
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
