-
With tornado 6.3 the xsfr_cookies will be depreciated. Let's keep an eye on:
- https://github.com/tornadoweb/tornado/issues/3217
- https://github.com/tornadoweb/tornado/issues/865
- https://gi…
-
Hey, helpful library but thought I should point out the following (apologies if I've missed some mitigation you've added).
By allowing a cookie to be used as the authentication mechanism, you are ope…
-
While writing some docs for the API, I saw that many endpoints do not need a csrf-token that maybe should need one. While a simple `/logout` just disturbs the user, a `DELETE /history` might produce s…
-
`servant-auth-server` by default expects that the [browser] client will add an `X-XSRF-TOKEN` header with the contents of the `XSRF-TOKEN` cookie for authenticated requests. I have a PR servant-auth t…
3noch updated
6 years ago
-
**XSRF** issue exists @ **root/login.jsp** in branch **develop**
*Method = at line 8 of root\login.jsp gets a parameter from a user request from ""password"". This parameter val…
-
**XSRF** issue exists @ **root/register.jsp** in branch **develop**
*Method = at line 7 of root\register.jsp gets a parameter from a user request from ""password1"". This parame…
-
**XSRF** issue exists @ **root/password.jsp** in branch **develop**
*Method = at line 10 of root\password.jsp gets a parameter from a user request from ""password1"". This param…
-
Currently the user could be forced to log out with a request to the logout URL. We need to add XSRF protection against this.
-
I am building a new Frontend for the ots api but at each turn i am getting "invalid token" and "unauthorized as response"
what could be the issue i habve attached my code below. This smae request w…
-
```
What steps will reproduce the problem?
1. Bind security cookie to JSESSIONID:
bindConstant().annotatedWith(SecurityCookie.class).to("JSESSIONID");
2. Launch application on glassfish.
…