]> git.koha-community.org Git - koha.git/commit
Bug 18124: Restrict CSRF token to user's session
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Wed, 15 Feb 2017 16:14:13 +0000 (17:14 +0100)
committerKatrin Fischer <katrin.fischer.83@web.de>
Sun, 2 Apr 2017 16:00:27 +0000 (18:00 +0200)
commit7da5ac1bbb955e88dbaeab37332e2196c8b81c6d
tree05038c401e360f21f6fb5f661c8fa9f1d0bd86ae
parent07e2f4fedc68c38d6498c61015484d9a36b85f56
Bug 18124: Restrict CSRF token to user's session

Currently the CSRF token generated is based on the borrowernumber, and
is valid across user's session.
We need to restrict the CSRF token to the current session.

With this patch the CSRF token is generated concatenating the id
(borrowernumber) and the CGISESSID cookie.

Test plan:
Run t/Token.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 3562816dd1b8855c7973ce5650ff834407c1a548)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Koha/Token.pm
t/Token.t