Unable to open application on second tab in secured environment
SummaryUnable to open Pega application on a second tab in a secured environment. However, this works in a unsecured environment.
*sxyzNA*NA*NA*NA*NA*NA*NA*NA*NA*NA*NA*NA*Cross Site Request Forgery attack detected and was blocked.
Steps to Reproduce
- Log in to the application.
- Open a second tab.
- Copy or paste the base URL.
Root CauseA defect or configuration issue in the operating environment.
The behavior occurs because the security/csrf/secureall setting is set to true.
Cross-SiteRessource Forgery (CSRF) protects the user from an unsolicited request to a server.
For example, if user logs in to a shopping website, a dodgy website can contain a hidden link to send an HTTP request to buy a new item. If the website is not protected against CSRF, the attack will succeed because the user is logged in. Therefore, since the user is logged in to the website, the browser sends the website cookie.
To prevent this, Pega has built-in mechanisms which involve the referrer and a unique token ID that are passed with the request (the unique token ID is not and should not be a cookies/header).
In the same example as above, if a new tab is created and the base URL is pasted (such as http://host:port/prweb/PRServlet), the user is already authenticated before opening the second tab.
At this point, the browser sends an HTTP request which contains Pega cookies. The request does not contain a referrer or unique token ID. Hence, the Pega server (or any server) cannot detect this as an expected request and not a CSFR attack.
The security/csrf/secureall setting stops all requests against CSFR.
ResolutionPerform the following local-change:
- Set security/csrf/secureall to false.
- Set security/csrf/securedActivities/ and security/csrf/securedStreams settings. These settings should list activities and streams that must be secured against CSRF and help mitigate against CSRF when secureall is restrictive.
Published October 15, 2018 — Updated December 8, 2018