CSRF and the Learner Filter
Recently we added support against CSRF Attacks to the Trainonline LMS. While this is an important security feature, it caused some problems in all the filters, mainly the Learnerfilter which is used in several places of the application.
CSRF (
Cross-Site Request Forgery) is no thread to be taken lightly, when developing a secure web application. As we claim the TrainOnline LMS to be secure by design, we thrive to use all the security features provided by the underlying symfony framework.
With the new version of the symfony framework which is the basis for the upcoming 1.4 release of TrainOnline LMS, the forms again have been hardened agains attacks. The key component is the _csrf_token which has to be passed by all forms, including filter forms.
Since we store the selected filters in the user object, we had some problems with binding the form without having a proper _csrf_token. It took a little while but everyting is fixed now. Additionally, the pager and the filters have become even more robust by the new way of managing the filters.