Encrypt values for XSRF protection

Brought to you by: dornstein, jwdavidson, nbjones

#205 Encrypt values for XSRF protection

Milestone: FlexWiki

Status: closed-fixed

Owner: John Davidson

Labels: FlexWikiCore (188)

Priority: 5

Updated: 2008-10-19

Created: 2008-10-19

Creator: John Davidson

Private: No

It is possible that an XSRF could also forge a cookie with the correct information if the nonce is tranmitted in plaintext.

Discussion

John Davidson - 2008-10-19

status: open --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

John Davidson - 2008-10-19

Build 2.1.0.274

Added passphrases for encrypting the nonce and cookie used for xsrf protection. The passphrases may be 32 or 16-bytes in length. There are 16-byte default passphrases to ensure simple transition. Modified the WikiEdit and MessagePost xsrf routines to use encryption and decryption.

Added a unit test for encryption and decryption longer passphrases.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.