[ZBXNEXT-8074] Secure CSRF tokens Created: 2022 Nov 01  Updated: 2024 Aug 28  Resolved: 2023 Feb 19

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: Frontend (F)
Affects Version/s: 6.4 (plan)
Fix Version/s: 6.4.0rc1, 6.4 (plan)

Type: Change Request Priority: Trivial
Reporter: Vjaceslavs Bogdanovs Assignee: Gregory Chalenko
Resolution: Fixed Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-01-29-23-35-38-428.png     PNG File image-2023-01-29-23-39-21-113.png     PNG File image-2023-01-30-13-14-02-890.png     PNG File image-2023-01-30-13-15-35-403.png     PNG File screenshot-1.png    
Issue Links:
Causes
causes ZBX-25087 Documentation scenario doesn't match ... Closed
causes ZBX-22526 Can't delete just exported template Closed
causes ZBX-22811 CSRF token visible in link in Monitor... Closed
Duplicate
Sub-task
Team: Team C
Sprint: Sprint 94 (Nov 2022), Sprint 95 (Dec 2022), Sprint 96 (Jan 2023), Sprint 97 (Feb 2023)
Story Points: 4

 Description   

CSRF tokens should be generated in a way that is not guessable by the attacker, so if an attacker wants to send a request he should first get the CSRF token to include it in the request. Zabbix UI uses part of a session id as a CSRF token and is never changed between requests (not until the session is changed).

 Comments   
Comment by Elina Pulke [ 2023 Jan 09 ]

Implemented in development branch feature/ZBXNEXT-8074-6.3.

Comment by Gregory Chalenko [ 2023 Feb 03 ]

Implemented in:

6.4.0rc1 bd03730eeb8, f9ca02942c6

Comment by Marina Generalova [ 2023 Feb 14 ]

Documentation updated:

Generated at Sun Apr 20 21:25:21 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.