[
https://issues.apache.org/jira/browse/OFBIZ-11329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17027411#comment-17027411
]
Jacques Le Roux commented on OFBIZ-11329:
-----------------------------------------
Hi James,
OK I have found a simple solution: just check if there is an error in
setUserTimeZone.js before setting SetTimeZoneFromBrowser to done in
[sessionStorage|https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage].
I had also to make a simple change to CsrfUtil::checkToken in case of
XMLHttpRequest. The RequestHandlerException is only thrown if the request is
not SetTimeZoneFromBrowser. Also in last resort you throw
RequestHandlerExceptionAllowExternalRequests. I have added the condition
related to throwRequestHandlerExceptionOnMissingLocalRequest property. It's not
activated by default.
I have also defined a csrf.cache.size for removeEldestEntry in getTokenMap.
I attach [^OFBIZ-11329.patch] for you to check before we continue on the rest,
TIA.
> setUserTimeZone should use Get rather than POST
> -----------------------------------------------
>
> Key: OFBIZ-11329
> URL: https://issues.apache.org/jira/browse/OFBIZ-11329
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework, webpos
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Minor
> Attachments: OFBIZ-11329.patch
>
>
> This will be useful when committing CSRF solution as explained in OFBIZ-11306
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
