[
https://issues.apache.org/jira/browse/TOBAGO-972?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Udo Schnurpfeil resolved TOBAGO-972.
------------------------------------
Resolution: Fixed
Fix Version/s: 1.0.34
> Implement a session secret to protect against cross-side request forgery
> (CSRF/XSRF)
> ------------------------------------------------------------------------------------
>
> Key: TOBAGO-972
> URL: https://issues.apache.org/jira/browse/TOBAGO-972
> Project: MyFaces Tobago
> Issue Type: New Feature
> Reporter: Udo Schnurpfeil
> Assignee: Udo Schnurpfeil
> Fix For: 1.0.34
>
>
> The secret will be rendered in every page as an hidden field.
> Each request will check the correct value to prove the validity of the
> request.
> If the test fails, the lifecycle goes directly to the render response phase.
> There are 2 values in the tobago-config.xml to configure:
> create-session-secret: A secret will be created an rendered on every page.
> check-session-secret: The secret will be checked.
> If the application developer wants to use nothing of them, it can be switched
> off.
> If the application developer wants to define a specific behavior, the
> creation may be switched on, but the check may be implemented in an
> application specific phase listener.
> Defaults for Tobago 1.0.x:
> create-session-secret: false
> check-session-secret: false
> Defaults for Tobago 1.5.x:
> create-session-secret: true
> check-session-secret: true
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
