[pLog-svn] r6086 - in plog/branches/lifetype-2.0-csrf:class/action/admin class/data class/data/validator templates/admin

[Mark Wu]

 Hi Reto:

I just create a new branch  "plog/branches/lifetype-2.0-csrf "  for you, and
also migrate  your change to this branch.

So, please kindly use this branch for csrf protection poc further
development.

Mark

> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net 
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of 
> mark at devel.lifetype.net
> Sent: Thursday, November 29, 2007 3:35 AM
> To: plog-svn at devel.lifetype.net
> Subject: [pLog-svn] r6086 - in 
> plog/branches/lifetype-2.0-csrf:class/action/admin class/data 
> class/data/validator templates/admin
> 
> Author: mark
> Date: 2007-11-28 14:35:13 -0500 (Wed, 28 Nov 2007) New Revision: 6086
> 
> Added:
>    plog/branches/lifetype-2.0-csrf/class/data/nonce.class.php
>    
> plog/branches/lifetype-2.0-csrf/class/data/validator/noncevali
> dator.class.php
> Modified:
>    
> plog/branches/lifetype-2.0-csrf/class/action/admin/adminaction
> .class.php
>    
> plog/branches/lifetype-2.0-csrf/class/action/admin/admindelete
> postaction.class.php
>    plog/branches/lifetype-2.0-csrf/templates/admin/editposts.template
> Log:
> Re-commit reto's 6083 commit.
> ----
> First PoC implementation for CSRF protection:
> - nonce.class.php does nothing but generating nonces. Note: 
> the randomizer is quite simple and but I'm not sure if there 
> is need for some more complex (and time consuming) nonce generation.
> 
> - noncevalidator compares the nonce in the request with the 
> nonce in the session
> 
> - adminaction stores a new nonce to the users session each 
> time the method setCommonData is called (this deletes any 
> previously set nonces after validation)
> 
> limitations:
> - it doesn't work with javascript enabled ATM.
> - it doesn't work with GET requests (i.e. klicks on the delete icons)
> - only works on the deletepostaction