Feature #9547
Reactivate HMAC or implement substitute
| Status: | Rejected | Start date: | 2010-09-01 | |
|---|---|---|---|---|
| Priority: | Must have | Due date: | ||
| Assigned To: | - | % Done: | 0% |
|
| Category: | Security | |||
| Target version: | - | |||
| PHP Version: | Complexity: | |||
| Has patch: |
Description
Currently Fluid Forms still create a hidden "__hmac" field, but apparently that is no longer validated on the server side.
IMO we need this request hash validation to prevent CSRF (http://en.wikipedia.org/wiki/Cross-site_request_forgery) attacks.
A possible alternative solution might be to store the form fields in a request stack (#3620)
Related issues
History
#1 Updated by Sebastian Kurfuerst almost 5 years ago
after re-thinking about this, I also think we badly need this feature again.
#2 Updated by Karsten Dambekalns over 4 years ago
- Tracker changed from Bug to Feature
#3 Updated by Andreas Förthner over 4 years ago
- Status changed from New to Rejected
this is a duplicate...