]> git.koha-community.org Git - koha.git/commit
Bug 18124: Restrict CSRF token to user's session
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Wed, 15 Feb 2017 16:14:13 +0000 (17:14 +0100)
committerMason James <mtj@kohaaloha.com>
Sun, 23 Apr 2017 23:00:07 +0000 (11:00 +1200)
commit9e74db7b51085f62919e34ab4e5ccdf9da2066a1
treebc4448fe76b921bd21dcbf64a02461ede7fdf07b
parent9de99ca2d5494177bf4e0c805cc46cb3124fdd5c
Bug 18124: Restrict CSRF token to user's session

Currently the CSRF token generated is based on the borrowernumber, and
is valid across user's session.
We need to restrict the CSRF token to the current session.

With this patch the CSRF token is generated concatenating the id
(borrowernumber) and the CGISESSID cookie.

Test plan:
Run t/Token.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
Koha/Token.pm
basket/sendbasket.pl
members/member-flags.pl
members/member-password.pl
members/memberentry.pl
members/moremember.pl
opac/opac-memberentry.pl
opac/opac-sendbasket.pl
t/Token.t
tools/import_borrowers.pl
tools/picture-upload.pl