Is there a document for CSRF protection feature in Play! framework?
nkmrshn
Is there a module or something which will generate secure token, like
UUID, for CSRF protection? I finished the tutorial and went to see the
API document, but I couldn't find one, like RoR's
"protect_from_forgery". Also, I read play.data.validation document,
but there was no token validation method.
The CSRF protection feature is vital for all web application which has
posting data, but I can't find it in the Play! framework. Could
somebody please show me the URL?
Thank you.
Daniel Guryca
--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To post to this group, send email to play-fr...@googlegroups.com.
To unsubscribe from this group, send email to play-framewor...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/play-framework?hl=en.
Guillaume Bort
You can of course do it currently (just use the play.libs.* package to
generate a secure token), but we should offer an easier way to manage
it.
nkmrshn
https://bugs.launchpad.net/play/+bug/525417
On 2月21日, 午後7:38, Guillaume Bort <guillaume.b...@gmail.com> wrote:
> So can you post a bug about that?
>
> You can of course do it currently (just use the play.libs.* package to
> generate a secure token), but we should offer an easier way to manage
> it.
>
> On Sat, Feb 20, 2010 at 10:06 PM, Daniel Guryca <dun...@gmail.com> wrote:
> > Hmm interesting type of attack ... I even did not know about it.
> > Good to know.
> > Daniel
hyder
Can you please elaborate a little bit on this?
Many thanks.
Cheers!
On Feb 21, 9:38 pm, Guillaume Bort <guillaume.b...@gmail.com> wrote:
> So can you post a bug about that?
>
> You can of course do it currently (just use the play.libs.* package to
> generate a secure token), but we should offer an easier way to manage
> it.
>
> On Sat, Feb 20, 2010 at 10:06 PM, Daniel Guryca <dun...@gmail.com> wrote:
> > Hmm interesting type of attack ... I even did not know about it.
> > Good to know.
> > Daniel
> > On Sat, Feb 20, 2010 at 2:59 AM, nkmrshn <nkmr...@gmail.com> wrote:
>
> >> Hello.
>
> >> Is there a module or something which will generate secure token, like
> >> UUID, forCSRFprotection? I finished the tutorial and went to see the
> >> API document, but I couldn't find one, like RoR's
> >> "protect_from_forgery". Also, I read play.data.validation document,
> >> but there was no token validation method.
>
> >> TheCSRFprotection feature is vital for all web application which has
ngocdaothanh
See Ruby On Rails Security Guide for more information:
http://guides.rubyonrails.org/security.html
Guillaume Bort
ID in an hidden field of your forms.
<form action="@{Account.destroy()}" method="POST">
<input type="hidden" name="authenticityToken" value="${session.id}">
<input type="submit" value="Destroy my account!">
</form>
And then a before filter that could check this value:
@Before
static checkAuthenticity(String authenticityToken) {
if ( !authenticityToken.equals( session.getId() ) ) {
forbidden();
}
}
I think it is enough.
Guillaume Bort
-> a new checkAuthenticity() method available in controllers, that
check for a valid authenticity token in the request parameters and
send a forbidden response if something is bad.
-> session.getAuthenticityToken()
-> #{authenticityToken /} that add the input field to any form
For example:
public static destroyMyAccount() {
checkAuthenticity();
...
}
and
#{form @ destroyMyAccount()}
#{authenticityToken /}
<input type="submit" value="destroy my account">
#{/form}
You can of course add this as a before filter if you want to protect
all actions of a hierarchy of controllers.
dustin....@gmail.com
Dustin
On Mar 17, 2010 1:27pm, Guillaume Bort <guillau...@gmail.com> wrote:
> So, I've added these things directly to the framework:
>
>
>
> -> a new checkAuthenticity() method available in controllers, that
>
> check for a valid authenticity token in the request parameters and
>
> send a forbidden response if something is bad.
>
> -> session.getAuthenticityToken()
>
> -> #{authenticityToken /} that add the input field to any form
>
>
>
> For example:
>
>
>
> public static destroyMyAccount() {
>
> checkAuthenticity();
>
> ...
>
> }
>
>
>
> and
>
>
>
> #{form @ destroyMyAccount()}
>
> #{authenticityToken /}
>
>
>
>
>
>
> You can of course add this as a before filter if you want to protect
>
> all actions of a hierarchy of controllers.
>
>
>
> On Wed, Mar 17, 2010 at 1:40 PM, Guillaume Bort
>
> guillau...@gmail.com> wrote:
>
> > I think that you can resolve this problem by just adding the session
>
> > ID in an hidden field of your forms.
>
> >
>
> >
>
Guillaume Bort
hyder
You mentioned you added this directly into the framework. So, I should
download a new build?
Cheers.
On Mar 18, 4:53 am, Guillaume Bort <guillaume.b...@gmail.com> wrote:
> Yes of course.
>
> On Wed, Mar 17, 2010 at 6:41 PM, <dustin.whit...@gmail.com> wrote:
> > Awesome! Will this work across a cluster of servers?
>
> > Dustin
>
> > On Mar 17, 2010 1:27pm, Guillaume Bort <guillaume.b...@gmail.com> wrote:
> >> So, I've added these things directly to the framework:
>
> >> -> a new checkAuthenticity() method available in controllers, that
>
> >> check for a valid authenticity token in the request parameters and
>
> >> send a forbidden response if something is bad.
>
> >> -> session.getAuthenticityToken()
>
> >> -> #{authenticityToken /} that add the input field to any form
>
> >> For example:
>
> >> public static destroyMyAccount() {
>
> >> checkAuthenticity();
>
> >> ...
>
> >> }
>
> >> and
>
> >> #{form @ destroyMyAccount()}
>
> >> #{authenticityToken /}
>
> >> #{/form}
>
> >> You can of course add this as a before filter if you want to protect
>
> >> all actions of a hierarchy of controllers.
>
> >> On Wed, Mar 17, 2010 at 1:40 PM, Guillaume Bort
>
> >> guillaume.b...@gmail.com> wrote:
>
> >> > I think that you can resolve this problem by just adding the session
>
> >> > ID in an hidden field of your forms.
>
> >> > session.id}">
>
> >> > And then a before filter that could check this value:
>
> >> > @Before
>
> >> > static checkAuthenticity(String authenticityToken) {
>
> >> > if ( !authenticityToken.equals( session.getId() ) ) {
>
> >> > forbidden();
>
> >> > }
>
> >> > }
>
> >> > I think it is enough.
>
> >> > On Wed, Mar 17, 2010 at 1:14 PM, ngocdaothanh ngocdaoth...@gmail.com>
hyder
section of the documentation.
On Mar 18, 4:53 am, Guillaume Bort <guillaume.b...@gmail.com> wrote:
> Yes of course.
>
> On Wed, Mar 17, 2010 at 6:41 PM, <dustin.whit...@gmail.com> wrote:
> > Awesome! Will this work across a cluster of servers?
>
> > Dustin
>
> > On Mar 17, 2010 1:27pm, Guillaume Bort <guillaume.b...@gmail.com> wrote:
> >> So, I've added these things directly to the framework:
>
> >> -> a new checkAuthenticity() method available in controllers, that
>
> >> check for a valid authenticity token in the request parameters and
>
> >> send a forbidden response if something is bad.
>
> >> -> session.getAuthenticityToken()
>
> >> -> #{authenticityToken /} that add the input field to any form
>
> >> For example:
>
> >> public static destroyMyAccount() {
>
> >> checkAuthenticity();
>
> >> ...
>
> >> }
>
> >> and
>
> >> #{form @ destroyMyAccount()}
>
> >> #{authenticityToken /}
>
> >> #{/form}
>
> >> You can of course add this as a before filter if you want to protect
>
> >> all actions of a hierarchy of controllers.
>
> >> On Wed, Mar 17, 2010 at 1:40 PM, Guillaume Bort
>
> >> guillaume.b...@gmail.com> wrote:
>
> >> > I think that you can resolve this problem by just adding the session
>
> >> > ID in an hidden field of your forms.
>
> >> > session.id}">
>
> >> > And then a before filter that could check this value:
>
> >> > @Before
>
> >> > static checkAuthenticity(String authenticityToken) {
>
> >> > if ( !authenticityToken.equals( session.getId() ) ) {
>
> >> > forbidden();
>
> >> > }
>
> >> > }
>
> >> > I think it is enough.
>
> >> > On Wed, Mar 17, 2010 at 1:14 PM, ngocdaothanh ngocdaoth...@gmail.com>
