Uploaded image for project: 'PUBLIC - Liferay Documentation'
  1. PUBLIC - Liferay Documentation
  2. LRDOCS-5505

Document Liferay's CSRF protection with the p_auth parameter


    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Fix Version/s: None
    • Component/s: Application Security
    • Labels:


      Liferay has CSRF protection via the p_auth token. There is a lot of information regarding this parameter in wikis, forums, and Q&A, but much of it is out of date. It would be helpful to have official documentation for this feature.

      The documentation should probably briefly explain CSRF and the p_auth token and link to OWASP for a more thorough explanation.

      The documentation should also explain:

      • When the p_auth CSRF protection was first added (meaning which version of Liferay Portal first had the p_auth CSRF protection).
      • If the protection is enabled by default (I believe it is).
      • When p_auth CSRF protection was first enabled by default (meaning which version of Liferay Portal first had it enabled by default).
      • How to disable the p_auth protection (with a lot of cautionary language about why it's dangerous to disable the feature).
      • The portlet phases that the p_auth CSRF protection is enabled for (I believe it's just the ACTION_PHASE for now).
      • How to use the p_auth token CSRF protection during other phases (such as the RESOURCE_PHASE to secure Ajax forms against CSRF).




            • Votes:
              0 Vote for this issue
              0 Start watching this issue


              • Created:


                Version Package