Configure anti-CSRF token validation

Cross-site request forgery (CSRF) is an attack to perform malicious actions while the user is authenticated. The attacker inherits the identity and privileges of the victim and performs undesired function, such as data manipulation, on their behalf.

To mitigate this attack, LSF requires double-submit cookie approach where anti-csrf tokens are submitted by client application and the server validates the tokens.

Server-side implementation

LSF security provides SSO.CSRF token upon successful authentication. This token is added as cookie to the HTTP response. If the client application tries to submit a subsequent request, IOS will expect two SSO.CSRF tokens – one as a cookie, and another as a custom request header. IOS validates these two by checking if they match, if they don’t, an error message is returned to the client application. If either or both tokens are missing, an error message is also returned to the client application.

This diagram shows LSF connectivity with client changes:

tr_diagram_lsf_connectivity_with_client_changes

This diagram shows LSF connectivity without client changes:

tr_diagram_lsf_connectivity_without_client_changes

SSO.CSRF token generation is enabled by default in LSF security. To disable, modify the SSOP service property using the ssoconfig command:

GenerateCsrfTokens

true – generates SSO.CSRF token and is added as cookie to HTTP response.

false – does not generate SSO.CSRF token.

Note: If this property is not present, SSO.CSRF token will still be generated and added as cookie.

Anti-csrf validation is disabled by default. To toggle this setting, modify the property below in iosconfig.xml. See Infor Lawson Administration: Server Setup and Maintenance.

com.lawson.ios.performCSRFCheck

false – no anti-csrf validation

true – anti-csrf validation will be performed in LSF server

Note that when anti-csrf validation is enabled on the server, all incoming requests will be validated. If the client application does not have the required client-side implementation (i.e.: sending two SSO.CSRF tokens), the client application will receive an error message from the IOS web service that was called.