Uploaded image for project: 'PUBLIC - Liferay Documentation'
  1. PUBLIC - Liferay Documentation
  2. LRDOCS-5505

Document Liferay's CSRF protection with the p_auth parameter

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Fix Version/s: None
    • Component/s: Application Security
    • Labels:
      None

      Description

      Liferay has CSRF protection via the p_auth token. There is a lot of information regarding this parameter in wikis, forums, and Q&A, but much of it is out of date. It would be helpful to have official documentation for this feature.

      The documentation should probably briefly explain CSRF and the p_auth token and link to OWASP for a more thorough explanation.

      The documentation should also explain:

      • When the p_auth CSRF protection was first added (meaning which version of Liferay Portal first had the p_auth CSRF protection).
      • If the protection is enabled by default (I believe it is).
      • When p_auth CSRF protection was first enabled by default (meaning which version of Liferay Portal first had it enabled by default).
      • How to disable the p_auth protection (with a lot of cautionary language about why it's dangerous to disable the feature).
      • The portlet phases that the p_auth CSRF protection is enabled for (I believe it's just the ACTION_PHASE for now).
      • How to use the p_auth token CSRF protection during other phases (such as the RESOURCE_PHASE to secure Ajax forms against CSRF).

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:

                Packages

                Version Package