[jira] [Commented] (OFBIZ-11306) POC for CSRF Token

Sun, 12 Jan 2020 00:37:22 -0800 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17013678#comment-17013678
 ] 

James Yong commented on OFBIZ-11306:
------------------------------------

*+Explanation for tokens in form URL (defined in FTL files)+*

 In order to manually add a CSRF token field, user need to ensure the uri used 
is the same in both the form action attribute and the CSRF token field.

For example,

<form action="<@ofbizUrl>login</@ofbizUrl>" 

<@csrfTokenField>login</csrfTokenField>

 

Using <@ofbizUrl> macro to generate the CSRF token means there is no need to 
manually add the CSRF token field to each form in the ftl files. It will save 
time for users doing custom implementation and maintenance. 

While there is CSRF token in the form URL, the token is invalidated during form 
submission. So it is harmless even though the CSRF token of the form submission 
is shown in the browser address bar.

In this case, security is not compromised.

> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to