We are moving to Git Issues for bug tracking in future releases. During transition, content will be in both tools. If you'd like to file a new bug, please create an issue.

Bug 7001 - Implement CSRF checking
Implement CSRF checking
Product: OJS
Classification: Unclassified
Component: General
All All
: P3 normal
Assigned To: PKP Support
Depends on:
  Show dependency treegraph
Reported: 2012-01-02 14:22 PST by Alec Smecher
Modified: 2016-02-10 16:51 PST (History)
1 user (show)

See Also:
Version Reported In:
Also Affects:


Note You need to log in before you can comment on or make changes to this bug.
Description Alec Smecher 2012-01-02 14:22:19 PST
Implement CSRF (cross-site request forgery) checking. http://en.wikipedia.org/wiki/Cross-site_request_forgery
Comment 1 Jason Nugent 2012-01-03 05:55:12 PST
Hi Alec,

My suggestion would be to examine the way Wordpress has dealt with this.   WP uses Nonce keys on each form, painless with a wp_nonce_field() function call.  The keys are stored in a database table that also contains the referring document of the form, the destination URL, and other information about the user session.  They also expire after a reasonable amount of time.   On form submission, part of the validation routine extracts the nonce key from the hidden form field and pulls the information out of the database, verifies that everything is correct, expires the nonce key, and then processes the form.

The nice thing about the WP approach is that the nonce functions abstract all of the key creation, record creation, and so on.  You just need to include it on your form and then call wp_verify_nonce() as part of the form validation routine. 

WP info:

Nonce info:
Comment 2 Alec Smecher 2016-02-10 16:51:28 PST
Git issue: https://github.com/pkp/pkp-lib/issues/1131