Tracker: Feature Requests

5 Encrypt values for XSRF protection - ID: 2180669
Last Update: Comment added ( jwdavidson )

It is possible that an XSRF could also forge a cookie with the correct information if the nonce is tranmitted in plaintext.

John Davidson ( jwdavidson ) - 2008-10-19 13:40:07 PDT

5

Closed

Fixed

John Davidson

FlexWikiCore

FlexWiki

Public


Comment ( 1 )

Date: 2008-10-19 14:14:07 PDT
Sender: jwdavidsonProject Admin

Build 2.1.0.274

Added passphrases for encrypting the nonce and cookie used for xsrf
protection. The passphrases may be 32 or 16-bytes in length. There are
16-byte default passphrases to ensure simple transition. Modified the
WikiEdit and MessagePost xsrf routines to use encryption and decryption.

Added a unit test for encryption and decryption longer passphrases.

Attached File

No Files Currently Attached

Changes ( 3 )

Field Old Value Date By
status_id Open 2008-10-19 14:14:07 PDT jwdavidson
resolution_id None 2008-10-19 14:14:07 PDT jwdavidson
close_date - 2008-10-19 14:14:07 PDT jwdavidson