[WAVE-134] Security: XSRF Protection - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: Server
Labels:
- security

Description

We should not use the default JSESSIONID from jetty and we are not doing any verification of the token. For XSRF protection, we should create a token like the following

token = base64( (hmac( user_id + DELIMITER + action + DELIMITER + time, secret) + DELIMITER + time );

token is thus bound to a specific user and action/URL. XSRF token should be included in all state-changing requests and verified on the server-side.

—
Issue imported from http://code.google.com/p/wave-protocol/issues/detail?id=133

Owner: so...@google.com
Label: Type-Defect
Label: Priority-Medium
Stars: 1
State: open
Status: Accepted

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Anonymous

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 28/Apr/11 18:24

Updated:: 20/Apr/15 22:45