enable-secret-token-validation

Use the enable-secret-token-validation stanza entry to enable secret token validation, which protects certain WebSEAL account management pages against cross-site request forgery (CSRF) attacks.

Syntax

enable-secret-token-validation = {true|false}

Description

Use this entry to enable secret token validation, which protects certain WebSEAL account management pages against cross-site request forgery (CSRF) attacks. If you set this entry to true, WebSEAL adds a token to each session and validates the "token" query argument for the following account management requests:
  • /pkmslogin.form
  • /pkmslogout
  • /pkmslogout-nomas
  • /pkmssu.form
  • /pkmsskip
  • /pkmsdisplace
  • /pkmspaswd.form
  • /pkmsoidc
For example, you must change the /pkmslogout request to pkmslogout?token=<value>, where <value> is the unique session token.

If secret token validation is enabled and the token argument is missing from the request or does not match the session token, WebSEAL returns an error page. For more information about secret token validation, search for "CSRF" in the IBM Verify Identity Access: Web Reverse Proxy Configuration Guide.

Options

true
WebSEAL uses secret token validation to protect against CSRF attacks.
Note: This setting modifies the URLs for the affected WebSEAL management pages. Each of these management requests must contain a "token" argument with the current session token.
false
WebSEAL does not use secret token validation.

Usage

This stanza entry is optional.

Default value

false

Example

enable-secret-token-validation = true