Bug 7001 - Implement CSRF checking
Implement CSRF checking
Status: NEW
Product: OJS
Classification: Unclassified
Component: General
2.4.x
All All
: P3 normal
Assigned To: PKP Support
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-02 14:22 PST by Alec Smecher
Modified: 2012-09-21 15:01 PDT (History)
1 user (show)

See Also:
Version Reported In:
Also Affects:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alec Smecher 2012-01-02 14:22:19 PST
Implement CSRF (cross-site request forgery) checking. http://en.wikipedia.org/wiki/Cross-site_request_forgery
Comment 1 Jason Nugent 2012-01-03 05:55:12 PST
Hi Alec,

My suggestion would be to examine the way Wordpress has dealt with this.   WP uses Nonce keys on each form, painless with a wp_nonce_field() function call.  The keys are stored in a database table that also contains the referring document of the form, the destination URL, and other information about the user session.  They also expire after a reasonable amount of time.   On form submission, part of the validation routine extracts the nonce key from the hidden form field and pulls the information out of the database, verifies that everything is correct, expires the nonce key, and then processes the form.

The nice thing about the WP approach is that the nonce functions abstract all of the key creation, record creation, and so on.  You just need to include it on your form and then call wp_verify_nonce() as part of the form validation routine. 

WP info:
http://codex.wordpress.org/Wordpress_Nonce_Implementation

Nonce info:
http://en.wikipedia.org/wiki/Cryptographic_nonce