Including CSRF Tokens in an HTML Webpage

When added to individual report requests, Cross-Site Request Forgery (CSRF) tokens protect against CSRF attacks, where an end user is persuaded to execute unwanted actions on a web application in which they are currently authenticated.

To include CSRF token variables in report requests issued as HTTP Post messages from HTML webpages, add CSRF token variables to the site.wfs file in the WebFOCUS client, and add references to these CSRF variables to -HTMLFORM Dialogue Manager Procedures. The client side site.wfs scripting logic can then send these CSRF variables to the server with any report request that includes references to them. In response, the server returns the CSRF token name and CSRF token values that were automatically generated at the start of the authenticated user session in the HTTP Post message that generates the HTML webpage.

To include references to CSRF token variables in -HTMLFORM Dialogue Manager Procedures, there are two requirements. First, the CSRF Token Name and CSRF Token Value variables must be added to the client side logic by assigning them to the site.wfs file. To do so, type the following values in the Custom Settings page of the Administration Console, and save the updated page.

<SET>IBI_CSRF_Token_Name(PASS)
<SET>IBI_CSRF_Token_Value(PASS)

Second, references to these variables must be added to the -HTMLFORM BEGIN/END section of each -HTMLFORM Dialogue Manager procedure that will use them, as shown in the following example.

-HTMLFORM BEGIN
<body onload="document.form.submit()">
<form name=form id=form action="/ibi_apps/run/ibfs" method="post">
<input type="hidden" name="IBFS_path" value="/WFC/Repository/sales/salesbyregion.fex" />
<input type="hidden" name="IBFS_action" value="run" />
<input type="text" name="COUNTRY" value="ITALY" />
<input type="hidden" name="!IBI.AMP.IBI_CSRF_Token_Name;" value="!IBI.AMP.IBI_CSRF_Token_Value;" />
</form>
-HTMLFORM END

To add CSRF token variables to the site.wfs file, an administrator must type them into the Custom Settings file and then save the updates. Once assigned to the site.wfs file, valid CSRF token name and CSRF token value variables can be delivered from the WebFOCUS Client to the server with each report request that includes references to them.