]> git.koha-community.org Git - koha.git/commit
Bug 18124: Restrict CSRF token to user's session
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Wed, 15 Feb 2017 16:14:13 +0000 (17:14 +0100)
committerKyle M Hall <kyle@bywatersolutions.com>
Thu, 30 Mar 2017 09:07:08 +0000 (09:07 +0000)
commit3562816dd1b8855c7973ce5650ff834407c1a548
treecb038649b3d723d783465244959439e6bc1bba06
parent8dad1582c100017f8ad3e331c9a9b9cc9ed4e4d6
Bug 18124: Restrict CSRF token to user's session

Currently the CSRF token generated is based on the borrowernumber, and
is valid across user's session.
We need to restrict the CSRF token to the current session.

With this patch the CSRF token is generated concatenating the id
(borrowernumber) and the CGISESSID cookie.

Test plan:
Run t/Token.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Koha/Token.pm
t/Token.t