Hello Manuell, This kind of question has been a topic for us as well.
It seems to me that the first line of defense is the authentication. On the Admin Interface communication may just be via POST requests, but the Admin Interface is protected using (configurable) authentication. So a CSRF attack would have to first "steal" a session cookie before successfully being able to submit any request. Assuming this is really a problem for you, I don't think the mgnlCK ("cache-killer") token will be of any help. This is just a "dummy" parameter which has the effect of disabling any caching when working on the author instance. AFAIK this parameter is simply ignored. I think you could probably implement what you need by adding a filter (or maybe a custom login-module) fairly early in magnolia's filter chain. This filter could perform 2 checks: 1. On Login, associate the session with the client IP. Subsequently, if the client IP changes for the session, reject the request. (IP-locked sessions) 2. Associate each response with a (cryptographically secured) cookie-based token. Accept each request only if it has valid token. This would prevent replay attacks (and use of the "Back" button!), but could be some work to implement. I wonder if this level of security is really required? Regards from Vienna, Richard -----Ursprüngliche Nachricht----- Von: dev-list-ow...@magnolia-cms.com [mailto:dev-list-ow...@magnolia-cms.com] Im Auftrag von Manuel Hirschauer Gesendet: Montag, 05. Dezember 2011 10:29 An: dev-list@magnolia-cms.com Betreff: [magnolia-dev] Cross-Site Request Forgery Hello All, I posted this on the user list but maybe this is more appropriate here. Is there a way to prepare Magnolia against Cross-Site Request Forgery? If I create a form on a webpage it contains a form token. That is used for multi-forms as I understand. But also protects against csrf. But in the admin interface the commands are just post requests? Is it possible to add a token to every action from the web interface? There is a parameter mgnlCK. As far as I understand this is just a timestamp? To disable the cache? Could this be used as a security token? Or is there another way to protect Magnolia from csrf? Is there a solution for the enterprise edition maybe? Or a future magnolia version (as for now I am using 4.4.4 Thanks and regards, Manuel Hirschauer ---------------------------------------------------------------- For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to: <dev-list-unsubscr...@magnolia-cms.com> ---------------------------------------------------------------- ---------------------------------------------------------------- For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to: <dev-list-unsubscr...@magnolia-cms.com> ----------------------------------------------------------------