On CSRs, we need to ensure that the security token in the user's session matches the one in the registration.

Comments

colan created an issue. See original summary.

colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
CreditAttribution: colan at Colan Schwartz Consulting commented
Priority: Normal » Critical

  • emboss committed 66ea2d1 on issue-2855574 
    Issue #2855574 by emboss: Include registration ID in POST request

  • emboss committed 66ea2d1 on 8.x-1.x 
    Issue #2855574 by emboss: Include registration ID in POST request
colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
CreditAttribution: colan at Colan Schwartz Consulting commented

We should be able to do what's suggested at Split Tokens: Token-Based Authentication Protocols without Side-Channels.

  • colan committed 7d731b0 on 8.x-1.x 
    Issue #2855574 by colan: Ensure the CSR security token in the session...
  • colan committed 8238651 on 8.x-1.x
    Issue #2855574 by colan: Removed a previously set session token during...
colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
CreditAttribution: colan at Colan Schwartz Consulting commented
Status: Active » Fixed

Successful requests can now be submitted only once.

  • colan committed 8b0a899 on 8.x-1.x 
    Issue #2855574 by colan: Also remove the security token from the...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.