Why am I being asked to confirm?

This page explains one of the security measures that Foswiki, the software that runs this site, performs to secure this site from attackers.

Foswiki checks all requests it receives from browsers, and tries to check that the persons using the browsers intentionally sent them.

An evil person may try to use your login identity to change content in your wiki without your knowledge.

The attacker tries to use your rights to get things, like admin rights for the site.

This is also known as Cross-site Request Forgery, or CSRF.

In a possible scenario, an evil person has left a link to seduce you to visit a page on http://crime.org, which has some clever javascript on it.

Their intention is to automatically save compromising data by sending a request to your server, using your browser and your identity.

If Foswiki detects a suspicious request that may have been sent from such a page, then you are asked to confirm the request.

The checks performed by Foswiki can sometimes be triggered when you do something perfectly innocent, for instance if you click the Back button after saving a page. Foswiki then uses the approach "better safe than sorry".

You

Webserver running Foswiki

Who is requesting this, actually?

You

Evil person

Webserver running Foswiki

Not sure this is right, please confirm!

Confirmation required! Press OK to confirm this change was intentional
Press Cancel otherwise

OK

Cancel

Ah, no!

Ehm, let me go back to correct the page...

Webserver running Foswiki

Confirmation required! Press OK to confirm this change was intentional
Press Cancel otherwise

OK

Cancel

OK, this is still me!

Note: you must have Cookies and Javascript enabled in your browser to get past this screen. This is normally the case, but if something doesn't work, this is where to look first.

For more detailed information on cross-site request forgery, and the dangers it poses to you, see the Cross-site request forgery article on Wikipedia.

Wiki administrators should read about the SecurityFeatures topic on Foswiki.org.

Topic revision: r1 - 21 Jul 2015, ProjectContributor
This site is powered by FoswikiCopyright © by the contributing authors. All material on this site is the property of the contributing authors.
Ideas, requests, problems regarding GSICS Wiki? Send feedback