Issue Type: Feature Request Feature Request
Affects Versions: 1.0.0.CR1
Assignee: Bruno Oliveira
Components: controller , security
Created: 12/Dec/12 6:28 AM
Description:

These tokens must be checked for validity at the server before the request is processed, we can make use of OTP to create our nonce values. This prevention is necessary to avoid CSRF attacks, at our demo for example the URL below doesn't check if the user is logged in which enable attackers to CSRF.

<form method="POST" action="http://controller-aerogear.rhcloud.com/aerogear-controller-demo/otp" enctype="application/x-www-form-urlencoded" autocomplete="on"> ... </form>
Fix Versions: 1.0.0.CR1
Project: AeroGear
Priority: Major Major
Reporter: Bruno Oliveira
Security Level: Public (Everyone can see)
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira