https://github.com/opencontentcoop/ezuserformtoken
https://github.com/opencontentcoop/ezuserformtoken
Last synced: 9 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/opencontentcoop/ezuserformtoken
- Owner: OpencontentCoop
- License: gpl-2.0
- Created: 2018-11-21T16:20:07.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2019-07-19T13:05:42.000Z (almost 7 years ago)
- Last Synced: 2025-09-28T23:52:27.370Z (9 months ago)
- Language: PHP
- Size: 11.7 KB
- Stars: 0
- Watchers: 7
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: readme.md
- License: LICENSE
Awesome Lists containing this project
README
# eZ Publish Legacy User Form Token extension
This extension aims to stop CSRF attacks against eZ Publish
implementing the easiest remediation described in [detectify](https://support.detectify.com/customer/portal/articles/1969819-login-csrf).
It works like the official extension [eZ Form Token](https://doc.ez.no/eZ-Publish/Technical-manual/4.6/Features/eZ-Form-token-extension) adding input & output filter events,
which verify that POST requests have an input matching with a generated custom cookie.
The difference with eZ Form Token is that the verification is done on requests made by the anonymous user.
This is all done transparently for html/xhtml forms, but requires changes to all ajax POST code.
If the form token does not verify, an exception is currently thrown and an
error 500 is send to the HTTP client.
It is possible to configure modules to be protected and the cookie parameter in the new configuration block ```[UserFormToken]``` in site.ini
(see defaults in settings/site.ini.append.php file of this extension)
See also:
[How to protect against login CSRF? in stackexchange](https://security.stackexchange.com/questions/59411/how-to-protect-against-login-csrf)