...
Login forms can be susceptible to CSRF[2] attacks. In these cases the attacker attempts to trick the victim into login into logging in as themselves (the attacker). The attacker could then:
...
The anti-csrf token is generated on-entry (or on-render) to a view state, and placed inside the SWF viewScope. This could be added on-render if required.For example in the DisplayUsernamePasswordPage view-state of the authn-password-flow.xml:
| Code Block |
|---|
<on-entry>
<evaluate expression="flowRequestContext.getActiveFlow().getApplicationContext().getBean('shibboleth.CsrfTokenManager').generateCsrfToken()" result="viewScope.csrfToken" />
</on-entry> |
Still inside the DisplayUsernamePasswordPage view-state, the anti-csrf token stored in the viewScope is then must be compared to that returned as a HTTP parameter from the view. This needs to happen (because the token is bound to the viewScope) inside the view-state before the proceed transition is executed and the state exited. Hence, a ValidateCsrfToken action is nested inside the proceed transition:
...