Why am I being asked to confirm?

This page explains one of the security measures that Foswiki, the software that runs this site, performs to secure this site from attackers.

Foswiki checks all requests it receives from browsers, and tries to check that the persons using the browsers intentionally sent them.

An evil person may try to use your login identity to change content in your wiki without your knowledge.The attacker tries to use your rights to get things, like admin rights for the site.This is also known as Cross-site Request Forgery, or CSRF.

In a possible scenario, an evil person has left a link to seduce you to visit a page on http://crime.org, which has some clever javascript on it.

Their intention is to automatically save compromising data by sending a request to your server, using your browser and your identity.

If Foswiki detects a suspicious request that may have been sent from such a page, then you are asked to confirm the request.

The checks performed by Foswiki can sometimes be triggered when you do something perfectly innocent, for instance if you click the Back button after saving a page. Foswiki then uses the approach "better safe than sorry".

You

Webserverrunning Foswiki

Who is requesting this, actually?

You

Evil person

Webserverrunning Foswiki

Not sure this is right, please confirm!

Confirmation required!Press OK to confirm this change was intentionalPress Cancel otherwise

OK

Cancel

Ah, no!

Ehm, let me go back to correct the page...

Webserverrunning Foswiki

Confirmation required!Press OK to confirm this change was intentionalPress Cancel otherwise

OK

Cancel

OK, this is still me!

Note: you must have Cookies and Javascript enabled in your browser to get past this screen. This is normally the case, but if something doesn't work, this is where to look first.

For more detailed information on cross-site request forgery, and the dangers it poses to you, see the Cross-site request forgery article on Wikipedia.

Wiki administrators should read about the Foswiki security features.

Topic revision: r10 - 18 Nov 2009, CrawfordCurrie
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy