Arrow Home arrow Forums
larger font smaller font default font Fixed screen resolution Auto adjust screen size

Joomlapolis Forums  


Boardwalk :: Forum List CB 3PD uddeIM Plugin and Component
CSRF Attack Protection?
Date: 2008/05/14 17:29 By: NateM Status: User  
Karma: 2  
Senior Joomlapolitan

Posts: 50
graphgraph
Hello,

Could anyone possibly explain how this works? I understand that it's there to prevent spamming, but I was looking for a few more details on when and why exactly it kicks in. I had a person sending friends pms about a party he was throwing, (a legitimate use for them, in my opinion), and he kept getting this CSRS attack thing, which was blocking him. Is there a good way to get around this for legitimate uses, like perhaps having it not kick in between connections or something like that, (so I could just tell them to make connections with their friends). Any ideas?
Click here to see the profile of this user The administrator has disabled public write access.

Re:CSRF Attack Protection?
Date: 2008/05/14 18:41 By: slabbi Status: CB Doc subscriber  
Karma: 62  
Moderator

Posts: 1063
graphgraph
CSRF prevents (the name says it) a special cross site attack.

also see
http://en.wikipedia.org/wiki/Cross-site_request_forgery

To prevent these attacks: uddeIM prints a magic number on each screen it outputs. When the user sends an input back to the server, this number is checked if it was coming originally from your server.
When someone displays a forged input form, one of your users enters text in this form and sends this form back, uddeIM will recognize this.

The problem is that the session is only valid for some minutes (depends on your Joomla settings). When the user writes very long texts the session might time out and the magic number is not longer known. He has to press "Send" a second time then and it should work.
CB Language Workgroup
uddeIM Development
CB 3rd Party Developer
Click here to see the profile of this user The administrator has disabled public write access.

Re:CSRF Attack Protection?
Date: 2008/05/15 02:53 By: NateM Status: User  
Karma: 2  
Senior Joomlapolitan

Posts: 50
graphgraph
Well, it wasn't a very long message, and I think he was just copying it and resending it. Could it be related to pressing the "back" button instead of going to compose a new message?
Click here to see the profile of this user The administrator has disabled public write access.

Re:CSRF Attack Protection?
Date: 2008/05/15 09:18 By: slabbi Status: CB Doc subscriber  
Karma: 62  
Moderator

Posts: 1063
graphgraph
Yes, the "Back" button could cause this problem.
CB Language Workgroup
uddeIM Development
CB 3rd Party Developer
Click here to see the profile of this user The administrator has disabled public write access.

Boardwalk :: Forum List CB 3PD uddeIM Plugin and Component

Joomlaboard Forum Component 1.1.3 Stable
Two Shoes M-Factory

Documentation

Documentation Subscription Service
(updated for CB 1.2 RC2)

What?

Why?

Where?

Just click here for answers!

Click here for a yearly subscription: subscribe now

Download Latest Release

The latest stable Community Builder Release is version 1.1 for Joomla 1.0 and Mambo.
You need to be a registered member of Joomlapolis to download.

The latest release candidate of Community Builder is version 1.2 RC3, native for Joomla 1.0, 1.5 and Mambo.
It is available as "thank you" to all CB documentation subscribers at this time.

CB Login