[
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17019626#comment-17019626
]
James Yong commented on OFBIZ-11306:
------------------------------------
Hi Jacques,
Thanks for the check.
bq. Have you few examples of that (one would be sufficient)? We need to be sure
that we are not missing anything.
forgotPassword
bq. Could you please explain where/how is that done? Is that depending on being
a POST method as in tokenMap.remove(requestUri); in CsrfUtil::checkToken?
tokenMap.remove(requestUri)
bq. I'd prefer that we change all the "same uri for getting the form and
posting the changes.". Somehow what you did for processorder in OFBIZ-11319
Agree we should use different uri for posting the form changes.
bq. Though I'd add preferred rather to add the token in a hidden field. I
understand it's an easy way to automatically do it, and seems safe. As with the
previous point we need to be sure that all forms use the POST method. Also we
need to do it for at least ofbizContentUrl and check no others would miss it.
Will look into ofbizContextUrl.
bq. I sugget we make return size() > 100; in CsrfUtil::getTokenMap a properties
to allow users to adjust in function of their needs.
Will add the property.
bq. Some recommend to encrypt IP and "Timeout" in the CSRF token and check. We
could do that by using a JWT token rather than a random value. We could then
check both IP and "Timeout" to increase safety.
Do you have any link for further reading?
Need more time to look into the remaining issues mentioned..
> POC for CSRF Token
> ------------------
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS
> Affects Versions: Upcoming Branch
> Reporter: James Yong
> Assignee: Jacques Le Roux
> Priority: Minor
> Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch,
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch,
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class.
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf
> token field.
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token
> to X-CSRF-Token in request header.
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token
> check during Ajax POST call.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
