views:

11

answers:

0

What are the best practices in CSRF-proofing a Liferay 5.2.3 based site? OWASP recommends (http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern) using the Synchronizer token pattern, but doing this manually seems to be tedious, especially sharing the token across multiple portlets.

A comprehensive portlet container should be equipped to deal with this, and a bug report from the Liferay site also seems to suggest that it does. However, I couldn't find any further information on how to do this.