Open edwardotis opened 8 years ago
I'm curious about this, because why would you bother trying to protect your login from csrf. From what I understand the whole point of csrf is someone is trying to exercise a command, through you because you are already logged in, like for example update password. So the form for updating your password should have csrf protection not the login. Or is there some other possible exploit an attacker could use it the context of csrf and logging in.
Yes, you need to secure your login forms from CSRF attacks just as any other. Otherwise your site is vulnerable to a sort of "trusted domain phishing" attack. In short, a CSRF-vulnerable login page enables an attacker to share a user account with the victim.
The vulnerability plays out like this:
Please read more here
Cool thanks for replying. with the app I'm currently working on this wouldn't be a likely scenario, because only users can't sign-up for accounts. In order to pull this off you would need to be a customer Account admin, or a admin. But at least I know know the reasoning behind wanting this, and it should be a part of spring security.
AFAIKT, the grails' withForm method is not available when using /j_spring_security_check to log users in.
How can we protect our apps from CSRF during login when using grails-spring-security-core? http://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf-login
Using: grails 2.5.4
Thanks,
Ed