Ticket #17 (assigned enhancement) Opened 4 months ago Last modified 3 weeks ago nonce or confirmation for sensitive operations Reported by: kmccarth Assigned to: rcritten (accepted) Priority: major Milestone: release-1 Component: ipa-gui Version: 1.0 Keywords: Cc: Description ¶ Add either a nonce or a confirmation for sensivite operations (such as editing your password). This is to protect against forms on other (evil) pages tricking you into clicking and so setting your password to a known value. Attachments freeipa-568-sessions.patch (3.7 kB) - added by rcritten on 2008-01-03 11:16:28. use server-side variable to determine if the updated user is the last edited user Change History 2007-10-24 09:02:29 changed by rcritten ¶ This nonce will be generated on the page that prompts for the password change. This prevents a direct POST to the password change url. It must go through that other page first to be accepted. 2007-10-31 14:23:47 changed by rcritten ¶ * owner changed from kmccarth to rcritten. 2008-01-03 11:16:28 changed by rcritten * attachment freeipa-568-sessions.patch added. use server-side variable to determine if the updated user is the last edited user 2008-01-03 11:16:54 changed by rcritten ¶ * status changed from new to assigned.
Committed in changeset 591 In production the sessions are saved to /var/cache/ipa/sessions In dev mode the sessions to into /tmp
qa verified, bug closed build used: 4-8-2008 daily build