Hello, I am a new OJS user and I could see that in the login form there is a hidden field called csrfToken. I would like to know what this field is for and how its value is generated? Does this field have any relation to the OJSSID session cookie?
My current OJS version: 3.1.1-4
Thank you!
Hi @Denys_Maciel,
There’s info on CSRF at e.g. Cross-site request forgery - Wikipedia and on OJS’s implementation at [OJS] GET used for changing state of the system · Issue #1131 · pkp/pkp-lib · GitHub. Do you have a specific interest?
Regards,
Alec Smecher
Public Knowledge Project Team
Hi @asmecher, I would like to know if there is any relationship between csrfToken and OJSSID cookie regarding OJS security.
Hi @Denys_Maciel,
There’s no relationship, i.e. you can’t determine the token from the cookie.
Regards,
Alec Smecher
Public Knowledge Project Team
Ok, last question: in which classes are cookie and csrfToken generated? I need to understand this for a college job.
Hi @Denys_Maciel,
The CSRF token is implemented in pkp-lib/Session.inc.php at 7daaa64809ab7b72fb06b5ee9fb950d401dd7362 · pkp/pkp-lib · GitHub, and the session management (including cookie) is implemented in SessionManager in the same path.
Regards,
Alec Smecher
Public Knowledge Project Team
Okay, really thanks @asmecher!