Skip to content

OpencontentCoop/ezuserformtoken

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

eZ Publish Legacy User Form Token extension

This extension aims to stop CSRF attacks against eZ Publish implementing the easiest remediation described in detectify.

It works like the official extension eZ Form Token adding input & output filter events, which verify that POST requests have an input matching with a generated custom cookie. The difference with eZ Form Token is that the verification is done on requests made by the anonymous user.

This is all done transparently for html/xhtml forms, but requires changes to all ajax POST code. If the form token does not verify, an exception is currently thrown and an error 500 is send to the HTTP client.

It is possible to configure modules to be protected and the cookie parameter in the new configuration block [UserFormToken] in site.ini (see defaults in settings/site.ini.append.php file of this extension)

See also: How to protect against login CSRF? in stackexchange

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages