git.koha-community.org Git - koha.git/commit

author	Jonathan Druart <jonathan.druart@bugs.koha-community.org>
	Wed, 15 Feb 2017 16:14:13 +0000 (17:14 +0100)
committer	Mason James <mtj@kohaaloha.com>
	Sun, 23 Apr 2017 23:00:07 +0000 (11:00 +1200)
commit	9e74db7b51085f62919e34ab4e5ccdf9da2066a1
tree	bc4448fe76b921bd21dcbf64a02461ede7fdf07b	tree \| snapshot
parent	9de99ca2d5494177bf4e0c805cc46cb3124fdd5c	commit \| diff

Bug 18124: Restrict CSRF token to user's session

Currently the CSRF token generated is based on the borrowernumber, and
is valid across user's session.
We need to restrict the CSRF token to the current session.

With this patch the CSRF token is generated concatenating the id
(borrowernumber) and the CGISESSID cookie.

Test plan:
Run t/Token.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>

Main Koha release repository

RSS Atom

Koha/Token.pm		diff \| blob \| history
basket/sendbasket.pl		diff \| blob \| history
members/member-flags.pl		diff \| blob \| history
members/member-password.pl		diff \| blob \| history
members/memberentry.pl		diff \| blob \| history
members/moremember.pl		diff \| blob \| history
opac/opac-memberentry.pl		diff \| blob \| history
opac/opac-sendbasket.pl		diff \| blob \| history
t/Token.t		diff \| blob \| history
tools/import_borrowers.pl		diff \| blob \| history
tools/picture-upload.pl		diff \| blob \| history