Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-7737

Remove form referer checks - $CFG->secureforms optional checking

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.7
    • Fix Version/s: 1.8
    • Component/s: Libraries
    • Labels:
      None
    • Affected Branches:
      MOODLE_17_STABLE
    • Fixed Branches:
      MOODLE_18_STABLE

      Description

      Currently we have: $CFG->secureforms
      Use additional form security secureforms
      Moodle can use an additional level of security when accepting data from web forms. If this is enabled, then the browser's HTTP_REFERER variable is checked against the current form address. In a very few cases this can cause problems if the user is using a firewall (eg Zonealarm) configured to strip HTTP_REFERER from their web traffic. Symptoms are getting 'stuck' on a form. If your users are having problems with the login page (for example) you might want to disable this setting, although it might leave your site more open to brute-force password attacks. If in doubt, leave this set to 'Yes'.

      Judging from bug reports this feature is not active on many servers (because the bugs in related code would be reported much sooner New forms lib is always using proper POST request combined with sesskey - we should either add it to forms lib or remove it completely.

      We have discussed it today at HQ and decided to remove it from 1.8...

        Attachments

          Activity

            People

            • Assignee:
              skodak Petr Skoda
              Reporter:
              skodak Petr Skoda
              Tester:
              Nobody
              Participants:
              Component watchers:
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                31/Mar/07