6.0.0-git
2021-01-18

[#4492] CSRF protection with form tokens
Summary CSRF protection with form tokens
Queue Horde Framework Packages
Queue Version HEAD
Type Enhancement
State Resolved
Priority 2. Medium
Owners chuck (at) horde (dot) org
Requester jan (at) horde (dot) org
Created 2006-10-05 (5219 days ago)
Due
Updated 2007-07-30 (4921 days ago)
Assigned
Resolved 2007-07-30 (4921 days ago)
Milestone Horde 3.2
Patch No

History
2007-07-30 02:43:16 Chuck Hagenbuch Comment #3
Assigned to Chuck Hagenbuch
State ⇒ Resolved
Reply to this comment
Done for Horde 3.2
2006-10-05 18:31:25 Chuck Hagenbuch Comment #2 Reply to this comment
The token needs to be not just present, but valid. We'll need to give 
each form a unique id to track that sort of thing, and store the 
expected token for it either in the session or by something we can 
look up in Token (or other) storage.
2006-10-05 12:22:40 Jan Schneider Comment #1
Type ⇒ Enhancement
State ⇒ Accepted
Priority ⇒ 2. Medium
Summary ⇒ CSRF protection with form tokens
Queue ⇒ Horde Framework Packages
Reply to this comment
Add CSRF protection to Horde_Form using Horde_Token: we should not 
only check for tokens submitted twice to protect against duplicate 
submissions, but also check if a token is submitted at all to protect 
agains POST attacks with form not created by ourselves.

Saved Queries