[Owncloud] Cross-site request forgery protection
Thomas Tanghus
thomas at tanghus.net
Tue Jun 12 13:20:55 UTC 2012
On Tuesday 12 June 2012 14:16 Thomas Tanghus wrote:
> On Friday 08 June 2012 16:42 Frank Karlitschek wrote:
> > /**
> > * Register an get/post call
> > */
> > public static function callRegister(){
> >
> > // generate a random token.
> > // store the token together with a timestamp in the session.
> > // return the token
> >
> > }
> >
> >
> > /**
> > * Check an ajax get/post call
> > */
> > public static function callCheck(){
> >
> > // searches in the get and post arrays for the token.
> > // check if the token is in the user session and if the timestamp is from
> >
> > the last hour. // exit if not found and return of found.
> > }
>
> I just tested this, and we need some extra methods. Something like:
I also tested the jQuery trick posted on IRC Saturday [1], but couldn't get
it to work. Instead I found another neat trick [2]:
<script language="Javascript">
$(document).ready(function(){
var csrf_token = '<?php echo $_['csrf_token']; ?>';
$.ajaxSetup({
data: {
requesttoken: csrf_token
}
});
});
</script>
[1] http://erlend.oftedal.no/blog/?blogid=118
[2] http://www.bennadel.com/blog/2131-Using-jQuery-ajaxSetup-To-Accumulate-Global-Data-Parameters-For-AJAX-Requests.htm
--
Med venlig hilsen / Best Regards
Thomas Tanghus
More information about the Owncloud
mailing list