#205 Encrypt values for XSRF protection

FlexWiki
closed-fixed
5
2008-10-19
2008-10-19
No

It is possible that an XSRF could also forge a cookie with the correct information if the nonce is tranmitted in plaintext.

Discussion

  • John Davidson

    John Davidson - 2008-10-19
    • status: open --> closed-fixed
     
  • John Davidson

    John Davidson - 2008-10-19

    Build 2.1.0.274

    Added passphrases for encrypting the nonce and cookie used for xsrf protection. The passphrases may be 32 or 16-bytes in length. There are 16-byte default passphrases to ensure simple transition. Modified the WikiEdit and MessagePost xsrf routines to use encryption and decryption.

    Added a unit test for encryption and decryption longer passphrases.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks