It is possible that an XSRF could also forge a cookie with the correct information if the nonce is tranmitted in plaintext.
Added passphrases for encrypting the nonce and cookie used for xsrf protection. The passphrases may be 32 or 16-bytes in length. There are 16-byte default passphrases to ensure simple transition. Modified the WikiEdit and MessagePost xsrf routines to use encryption and decryption.
Added a unit test for encryption and decryption longer passphrases.
Log in to post a comment.
Sign up for the SourceForge newsletter:
You seem to have CSS turned off.
Please don't fill out this field.