[
https://issues.apache.org/jira/browse/WAVE-134?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ali Lown updated WAVE-134:
--------------------------
Component/s: Server
> Security: XSRF Protection
> -------------------------
>
> Key: WAVE-134
> URL: https://issues.apache.org/jira/browse/WAVE-134
> Project: Wave
> Issue Type: Bug
> Components: Server
> Priority: Minor
> Labels: security
>
> We should not use the default JSESSIONID from jetty and we are not doing any
> verification of the token. For XSRF protection, we should create a token like
> the following
> token = base64( (hmac( user_id + DELIMITER + action + DELIMITER + time,
> secret) + DELIMITER + time );
> token is thus bound to a specific user and action/URL. XSRF token should be
> included in all state-changing requests and verified on the server-side.
> ---
> Issue imported from
> http://code.google.com/p/wave-protocol/issues/detail?id=133
> Owner: [email protected]
> Label: Type-Defect
> Label: Priority-Medium
> Stars: 1
> State: open
> Status: Accepted
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
