6.0.0-alpha14
7/2/25

[#4492] CSRF protection with form tokens
Summary CSRF protection with form tokens
Queue Horde Framework Packages
Queue Version HEAD
Type Enhancement
State Resolved
Priority 2. Medium
Owners chuck (at) horde (dot) org
Requester jan (at) horde (dot) org
Created 10/05/2006 (6845 days ago)
Due
Updated 07/30/2007 (6547 days ago)
Assigned
Resolved 07/30/2007 (6547 days ago)
Milestone Horde 3.2
Patch No

History
07/30/2007 02:43:16 AM Chuck Hagenbuch Comment #3
Assigned to Chuck Hagenbuch
State ⇒ Resolved		 Reply to this comment
Done for Horde 3.2
10/05/2006 06:31:25 PM Chuck Hagenbuch Comment #2 Reply to this comment
The token needs to be not just present, but valid. We'll need to give 
each form a unique id to track that sort of thing, and store the 
expected token for it either in the session or by something we can 
look up in Token (or other) storage.
10/05/2006 12:22:40 PM Jan Schneider Comment #1
Priority ⇒ 2. Medium
Type ⇒ Enhancement
Summary ⇒ CSRF protection with form tokens
Queue ⇒ Horde Framework Packages
State ⇒ Accepted		 Reply to this comment
Add CSRF protection to Horde_Form using Horde_Token: we should not 
only check for tokens submitted twice to protect against duplicate 
submissions, but also check if a token is submitted at all to protect 
agains POST attacks with form not created by ourselves.
New Ticket
My Tickets
Search
Query Builder
Reports

Saved Queries

Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers