IBM Security Verify Access for Web WebSEAL enable-secret-token-validation stanza entry

enable-secret-token-validation

Use the enable-secret-token-validation stanza entry to enable secret token validation, which protects certain WebSEAL account management pages against cross-site request forgery (CSRF) attacks.

enable-secret-token-validation = {true|false}

Description
Use this entry to enable secret token validation, which protects certain WebSEAL account management pages against cross-site request forgery (CSRF) attacks. If we set this entry to true, WebSEAL adds a token to each session and validates the "token" query argument for the following account management requests:
/pkmslogin.form
/pkmslogout
/pkmslogout-nomas
/pkmssu.form
/pkmsskip
/pkmsdisplace
/pkmspaswd.form
/pkmsoidc
For example, we must change the /pkmslogout request to pkmslogout?token=<value>, where <value> is the unique session token.
If secret token validation is enabled and the token argument is missing from the request or does not match the session token, WebSEAL returns an error page. For information about secret token validation, search for "CSRF" in the IBM Security Verify Access: Web Reverse Proxy Configuration Guide.
Options

true WebSEAL uses secret token validation to protect against CSRF attacks. This setting modifies the URLs for the affected WebSEAL management pages. Each of these management requests must contain a "token" argument with the current session token.
false WebSEAL does not use secret token validation.

Usage: Optional
Default: false
Example:
enable-secret-token-validation = true

Parent topic: [acnt-mgt] stanza

true	WebSEAL uses secret token validation to protect against CSRF attacks. This setting modifies the URLs for the affected WebSEAL management pages. Each of these management requests must contain a "token" argument with the current session token.
false	WebSEAL does not use secret token validation.