Hi Jacques,
For 1, seems like a ICsrfDefenseStrategy class implementation issue. We can use
another Jira for the enhancement / discussion when this JIRA (OFBIZ-11306) is
completed.
For 2, csrf-token check is independent of auth check, and the current
implementation should work as it is. So re
Hi Guys -
I've attached video link of the demo held on 03/27 to the ticket
https://issues.apache.org/jira/browse/OFBIZ-11347. Let me know should you
have any questions.
Best Regards,
Girish
On Sat, Mar 28, 2020 at 2:56 PM Girish Vasmatkar <
girish.vasmat...@hotwaxsystems.com> wrote:
> Hi Pierr
Hello team,
I am planning to upgrade the demo instances next week.
If you have any feedback or thoughts,
please feel free to comment at
https://issues.apache.org/jira/browse/OFBIZ-11472
- Best regards,
Swapnil M Mane,
ofbiz.apache.org
On Mon, Mar 23, 2020 at 3:48 PM Jacques Le Roux <
jacques.l
Hi Girish,
Thanks for asking!
I have read in several up to date places that it's better to have both. Notably when you use the lax option that I have left users to choice to,
because this might be needed in some cases. So the CSRF token defense offers a second fence.
OWASP clearly explains wh
Hi Jacques
I second your points. However, I have the following question -
Since you have explored and followed OWASP very extensively, do you think
with the introduction of same-site attribute, the whole concept of CSRF
token becomes somewhat redundant, provided almost every browser has the
suppo
Hi Pierre
Yes, the demo went well barring some network glitches:).It was recorded as
well so I will put the details on the ticket. Thanks for your interest.
Best,
Girish
On Sat, Mar 28, 2020 at 1:30 PM Pierre Smits wrote:
> Hi Girish,
>
> How did your presentation go? Unfortunately I was un
Hi,
Of course, I have my own opinion. Here are my answers to these questions.
1. By default in OFBiz the session timeout is 1 hour. After that, OFBiz
generates a new CSRF token before you sign in. I think for OFBiz applications
it's enough security. Of course we could have more fancy defense
Hi Girish,
How did your presentation go? Unfortunately I was unable to
attend/participate, but am curious.
Will you capture highlights and put those in the ticket?
Mvg
Pierre
Op vr 27 mrt. 2020 10:13 schreef Deepak Dixit :
> Great initiative Girish.
>
> Thanks & Regards
> --
> Deepak Dixit
>
