Enhance the CSRF tokens #25
Comments
|
Description is at #23 (comment) |
|
Bump. We've been running data.qld.gov.au and publications.qld.gov.au on the new HMAC-based token format for several months, and it seems to be working well. |
|
@ThrawnCA nice one! Take it we can close this issue? |
|
@camfindlay No, what I'm suggesting is that the HMAC-based token format from qld-gov-au/ckanext-qgov#6 should be merged into this extension. It can't just be cherry-picked, because things were restructured a bit when importing our CSRF filter into ckanext-security, but it should be pretty straightforward. |
ThrawnCA
added a commit
to ThrawnCA/ckanext-security
that referenced
this issue
Mar 8, 2020
- This makes it almost impossible for an attacker to forge a token, even if they find a way to set a cookie. It also provides a verified timestamp so we can easily check the token age. In future, it might even be possible to eliminate the cookie altogether, so long as sufficient information is contained in the token, eg username + timestamp + intended action.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Look to amend our tokens using the approach put forward at https://github.com/qld-gov-au/ckan-ex-qgov/pull/6/files
The text was updated successfully, but these errors were encountered: