#205 Encrypt values for XSRF protection

FlexWiki
closed-fixed
John Davidson
5
2008-10-19
2008-10-19
John Davidson
No

It is possible that an XSRF could also forge a cookie with the correct information if the nonce is tranmitted in plaintext.

Discussion

  • John Davidson
    John Davidson
    2008-10-19

    • status: open --> closed-fixed
     
  • John Davidson
    John Davidson
    2008-10-19

    Build 2.1.0.274

    Added passphrases for encrypting the nonce and cookie used for xsrf protection. The passphrases may be 32 or 16-bytes in length. There are 16-byte default passphrases to ensure simple transition. Modified the WikiEdit and MessagePost xsrf routines to use encryption and decryption.

    Added a unit test for encryption and decryption longer passphrases.