| Anonymous | Login | 2024-11-21 04:47 MST |
| Main | My View | View Issues | Change Log | Roadmap | Repositories |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0016711 | ClearOS | clearos-framework | public | 2017-08-28 19:49 | 2017-09-13 12:09 | ||||
| Reporter | bchambers | ||||||||
| Assigned To | bchambers | ||||||||
| Priority | normal | Severity | minor | Reproducibility | sometimes | ||||
| Status | closed | Resolution | fixed | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | 7.4.0 Beta 1 | ||||||||
| Target Version | 7.4.0 Beta 1 | Fixed in Version | 7.4.0 Beta 1 | ||||||
| Summary | 0016711: Ajax "POST's" cause CSRF 403's | ||||||||
| Description | POST. If user submits a POST form, CSRF will fail. | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files | |||||||||
 Relationships |
||||||
|
||||||
 Relationships |
|
Notes |
|
|
(0006391) user2 2017-08-28 21:26 |
Note: severity set to minor since this a change from the unreleased and unverified 0015311. |
|
(0006401) bchambers (administrator) 2017-08-29 07:20 |
Pete, There's 3 ways we could go with this: https://stackoverflow.com/questions/41398753/regenerate-crsf-token-codeigniter-on-submit-ajax [^] 1. Messy but secure - get and set the regenerated CSRF and update values in any forms. 2. Easy, but less secure and not scalable - Disable CSRF protection on certain routes (eg. AJAX). However, since these are specified in the framework, app developers are left out of the loop. 3. Easy but least secure - Disable regeneration of CSRF tokens. I think 2 is out due to scalability issues...doubt you want to go down path 3, so 1 it is??? |
|
(0006421) user2 2017-09-02 15:34 |
0000003 is fine for the webconfig use case. Note: the CSRF token will be regenerated on every login session. |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2017-08-28 19:49 | bchambers | New Issue | |
| 2017-08-28 19:49 | bchambers | Status | new => assigned |
| 2017-08-28 19:49 | bchambers | Assigned To | => bchambers |
| 2017-08-28 21:20 | user2 | Relationship added | duplicate of 0015311 |
| 2017-08-28 21:21 | user2 | Severity | major => minor |
| 2017-08-28 21:26 | user2 | Note Added: 0006391 | |
| 2017-08-28 21:27 | user2 | Relationship replaced | related to 0015311 |
| 2017-08-29 07:20 | bchambers | Note Added: 0006401 | |
| 2017-08-31 09:04 | user2 | Target Version | => 7.4.0 Beta 1 |
| 2017-09-02 15:30 | user2 | Category | app-marketplace - Marketplace => clearos-framework |
| 2017-09-02 15:34 | user2 | Note Added: 0006421 | |
| 2017-09-02 15:35 | user2 | Status | assigned => resolved |
| 2017-09-02 15:35 | user2 | Fixed in Version | => 7.4.0 Beta 1 |
| 2017-09-02 15:35 | user2 | Resolution | open => fixed |
| 2017-09-13 12:09 | user2 | Status | resolved => closed |
|
Issue History |