Forum OpenACS Q&A: Re: CSRF protection

Collapse
10: Re: CSRF protection (response to 1)
Posted by Dirk Gomez on

We'll update the documentation for our CSRF protection module which describes its background, the solution we picked, and the migration path we took. Once this is done - I'm on vacation for a week - we'll upload a tarball to the file-storage.

Jeff, protecting OpenACS against CSRF protection is certainly a time-consuming (and not exactly interesting) activity. The application I converted had about 570 files - it was mostly mechanical and dull work and took about 4 days.

The migration was as follows: For the first few weeks, the CSRF protection module would only log "suspicious" accesses. Programmer and/or template authors were notified of the suspicious attack and would check the affected pages and templates - and protect them. That way we did not impact the live site.

So I don't think it is too much work, it can be shared quite well, and it must be done because OpenACS with its readable URLs is quite vulnerable to it.