p_auth token missing from GET request
Written By
Peter Schwarcz
How To articles are not official guidelines or officially
supporteddocumentation. They are community-contributed content and may
not alwaysreflect the latest updates to Liferay DXP. We welcome your
feedback toimprove How to articles!
While we make every effort to ensure this Knowledge Base is accurate,
itmay not always reflect the most recent updates or official
guidelines.We appreciate your understanding and encourage you to reach
out with anyfeedback or concerns.
Legacy Article
You are viewing an article from our legacy
"FastTrack"publication program, made available for
informational purposes. Articlesin this program were published without a
requirement for independentediting or verification and are provided
"as is" withoutguarantee.
Before using any information from this article, independently verify
itssuitability for your situation and project.
Issue
- After enabling CSRF Tokens, a
p_auth token is appended to URLs, as expected.
- However, we noticed that if we manually remove this from the end of a URL and hit enter, we are still able to access the page, even though
p_auth is now missing from the request.
- Does this mean CSRF protection is compromised?
Resolution
- No, CSRF protection is not compromised.
-
p_auth tokens are a way of preventing CSRF attacks when it comes to POST requests; the issue described above concerned a GET request.
-
While both GET and POST could be vulnerable to CSRF, RFC 9110 states that the GET methods should not have the significance of taking an action other than retrieval. These methods ought to be considered "safe". Therefore, if a website has kept to the standard and only implements "unsafe" actions as POSTs, then here only POST requests are vulnerable.
Did this article resolve your issue ?