Bug 429991 - nonce or confirmation for sensitive operations
nonce or confirmation for sensitive operations
Status: CLOSED ERRATA
Product: freeIPA
Classification: Community
Component: WebUI (Show other bugs)
1.0
All Linux
high Severity high
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
:
Depends On:
Blocks: freeipa10 429034
  Show dependency treegraph
 
Reported: 2008-01-24 01:14 EST by Chandrasekar Kannan
Modified: 2012-03-27 03:18 EDT (History)
5 users (show)

See Also:
Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chandrasekar Kannan 2008-01-24 01:14:04 EST
Ticket #17 (assigned enhancement)

Opened 4 months ago

Last modified 3 weeks ago
nonce or confirmation for sensitive operations
Reported by: 	kmccarth 	Assigned to: 	rcritten (accepted)
Priority: 	major 	Milestone: 	release-1
Component: 	ipa-gui 	Version: 	1.0
Keywords: 		Cc: 	
Description ¶

Add either a nonce or a confirmation for sensivite operations (such as editing your password). This is to protect against forms on other (evil) pages tricking you into clicking and so setting your password to a known value.
Attachments

freeipa-568-sessions.patch (3.7 kB) - added by rcritten on 2008-01-03 11:16:28.
    use server-side variable to determine if the updated user is the last edited user

Change History
2007-10-24 09:02:29 changed by rcritten ¶

This nonce will be generated on the page that prompts for the password change.

This prevents a direct POST to the password change url. It must go through that other page first to be accepted.
2007-10-31 14:23:47 changed by rcritten ¶

    * owner changed from kmccarth to rcritten.

2008-01-03 11:16:28 changed by rcritten

    * attachment freeipa-568-sessions.patch added.

use server-side variable to determine if the updated user is the last edited user
2008-01-03 11:16:54 changed by rcritten ¶

    * status changed from new to assigned.
Comment 1 Rob Crittenden 2008-01-24 14:36:45 EST
Committed in changeset 591

In production the sessions are saved to /var/cache/ipa/sessions

In dev mode the sessions to into /tmp
Comment 2 Yi Zhang 2008-04-08 18:57:07 EDT
qa verified, bug closed
build used: 4-8-2008 daily build

Note You need to log in before you can comment on or make changes to this bug.