search

kazu2012 / get-simple-cms

Automatically exported from code.google.com/p/get-simple-cms
GNU General Public License v3.0
0 stars 0 forks source link

CSRF Detected. #356

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
CSRF detected issues when working via a proxy where your IP address may change. 
We have included an option in GSCONFIG to disable CSRF detection when this 
problem occurs. 

Problem is caused as we use the client IP address to generate the nonce value 
which is checked when you visit a page, if you IP address changes a CSRF is 
detected. 

Can we change the nonce generation to something else instead of the IP address, 
maybe generate a one time random value on installation.

Original issue reported on code.google.com by digimute...@gmail.com on 26 Sep 2012 at 3:05

GoogleCodeExporter commented 9 years ago 
Yeah good idea.

I do not hav ea very good undersanding of our nonce implementation. Is it 
documented anywhere ? No doubt it needs an update, and tokenized sessions.

Original comment by tablatronics on 28 Oct 2012 at 4:25