Secure > Enhance site security

Enable cross-site request forgery protection

Cross-site request forgery (CSRF) is a type of malicious attack that tricks a user into sending unintended requests. For example, an attacker can trick an authenticated user into clicking a link to update their personal information. Websphere Commerce accepts this request as valid, as proper session cookies exist as part of the request.

When cross-site request forgery protection is enabled, a designated URL parameter called authToken is required to be included as part of the request. The parameter value is generated by WebSphere Commerce and passed to the page in a request attribute with the same name.

Procedure

1. Identify the action to protect. For example, UserRegistrationUpdate.

2. Open the Struts configuration file where the action is defined and add a new property called csrfProtected to the action.

   For example:

   <action
       parameter="com.ibm.commerce.usermanagement.commands.UserRegistrationUpdateCmd"
       path="/UserRegistrationUpdate" type="com.ibm.commerce.struts.BaseAction">    
   <set-property property="https" value="0:1"/>    
   <set-property property="authenticate" value="0:0"/>    
   <set-property property="csrfProtected" value="10101:1"/>
   </action>
   

   The value attribute of the set-property element is a comma-separated list of <storeId>:<property value>. The request is protected under CSRF protection when it has a property value of 1.

3. Edit the JSP file that invokes this action to include the authToken URL parameter.

   For example:

   <input type="hidden" name="authToken" value="${authToken}" id="WC_UserRegistrationUpdateForm_FormInput_authToken_In_Register_1"/>
   

4. Restart the WebSphere Commerce Server or update the StrutsConfigRegistry registry component.

Results

When a cross-site request forgery violation has been detected, the request is changed to go to the CrossSiteRequestForgeryErrorView view. That is, the view is shown when requests that are configured to be protected do not include the authToken parameter.

Related concepts

Madisons starter store

Elite starter store

Related reference

Cross-site request forgery error

Cross-site Request Forgery Error

+

Search Tips   |   Advanced Search