Bug 429991

Summary: nonce or confirmation for sensitive operations
Product: [Retired] freeIPA Reporter: Chandrasekar Kannan <ckannan>
Component: WebUIAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: high    
Version: 1.0CC: benl, mgregg, rcritten, ssorce, yzhang
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freeipa-2.0.0-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 246164, 429034    

Description Chandrasekar Kannan 2008-01-24 06:14:04 UTC
Ticket #17 (assigned enhancement)

Opened 4 months ago

Last modified 3 weeks ago
nonce or confirmation for sensitive operations
Reported by: 	kmccarth 	Assigned to: 	rcritten (accepted)
Priority: 	major 	Milestone: 	release-1
Component: 	ipa-gui 	Version: 	1.0
Keywords: 		Cc: 	
Description ¶

Add either a nonce or a confirmation for sensivite operations (such as editing your password). This is to protect against forms on other (evil) pages tricking you into clicking and so setting your password to a known value.
Attachments

freeipa-568-sessions.patch (3.7 kB) - added by rcritten on 2008-01-03 11:16:28.
    use server-side variable to determine if the updated user is the last edited user

Change History
2007-10-24 09:02:29 changed by rcritten ¶

This nonce will be generated on the page that prompts for the password change.

This prevents a direct POST to the password change url. It must go through that other page first to be accepted.
2007-10-31 14:23:47 changed by rcritten ¶

    * owner changed from kmccarth to rcritten.

2008-01-03 11:16:28 changed by rcritten

    * attachment freeipa-568-sessions.patch added.

use server-side variable to determine if the updated user is the last edited user
2008-01-03 11:16:54 changed by rcritten ¶

    * status changed from new to assigned.

Comment 1 Rob Crittenden 2008-01-24 19:36:45 UTC
Committed in changeset 591

In production the sessions are saved to /var/cache/ipa/sessions

In dev mode the sessions to into /tmp


Comment 2 Yi Zhang 2008-04-08 22:57:07 UTC
qa verified, bug closed
build used: 4-8-2008 daily build