[jira] [Commented] (COUCHDB-2762) Add CSRF protection

Fri, 31 Jul 2015 08:30:31 -0700 

    [ 
https://issues.apache.org/jira/browse/COUCHDB-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14649344#comment-14649344
 ] 

ASF GitHub Bot commented on COUCHDB-2762:
-----------------------------------------

GitHub user rnewson opened a pull request:

    https://github.com/apache/couchdb-couch/pull/80

    Add CSRF protection

    If the request parameter `csrf` is set to `true` when successfully
    acquiring a session cookie from `_session` an additional cookie
    (`Csrf-token`) is returned. All requests that send this new cookie
    must also send a header (`X-Csrf-Token`) with the same value. If the
    cookie is sent and the header is missing or different, a 403 response
    is generated.
    
    Note that the CSRF token is signed by the server so tampering is
    detected and also results in a 403 response.
    
    closes COUCHDB-2762

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/cloudant/couchdb-couch 2762-csrf

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/couchdb-couch/pull/80.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #80
    
----
commit 32fd87b2840b090a40782c2442c268dfca25c9e3
Author: Robert Newson <[email protected]>
Date:   2015-07-31T15:25:36Z

    Add CSRF protection
    
    If the request parameter `csrf` is set to `true` when successfully
    acquiring a session cookie from `_session` an additional cookie
    (`Csrf-token`) is returned. All requests that send this new cookie
    must also send a header (`X-Csrf-Token`) with the same value. If the
    cookie is sent and the header is missing or different, a 403 response
    is generated.
    
    Note that the CSRF token is signed by the server so tampering is
    detected and also results in a 403 response.
    
    closes COUCHDB-2762

----


> Add CSRF protection
> -------------------
>
>                 Key: COUCHDB-2762
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-2762
>             Project: CouchDB
>          Issue Type: Improvement
>      Security Level: public(Regular issues) 
>            Reporter: Robert Newson
>            Assignee: Robert Newson
>             Fix For: 2.0.0
>
>
> Add support for the "double submit cookie" CSRF protection.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to