Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V2.2.4 - Unclear what purpose is of checking unexpected tokens? #571

Closed
securitybits opened this issue Feb 26, 2019 · 3 comments
Closed

V2.2.4 - Unclear what purpose is of checking unexpected tokens? #571

securitybits opened this issue Feb 26, 2019 · 3 comments
Assignees
@tghosth
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet Community needed This issue will not be progressed without community input. Will be closed if stale. Community wanted We would like feedback from the community to guide our decision otherwise we will progress _5.0 - prep This needs to be addressed to prepare 5.0
Milestone
4.0

Comments

@securitybits
Copy link

Verify that all authentication data provided by the user is checked for validity, even if it is unexpected. For example, if an authentication form offers a username and password and an optional token, the server should always check a token value provided, even if the user was not expected to have a token value to provide.

I'm struggling to see what the intended purpose behind this is, and what a token should be validated against if the user is not expected to have such a token in the first place. Can we clarify what the value of this control is?
@vanderaj vanderaj added this to the 4.0 milestone Feb 26, 2019
@vanderaj vanderaj added the QA label Feb 26, 2019
@vanderaj vanderaj self-assigned this Feb 26, 2019
@vanderaj
Copy link
Member

Removed

@tghosth
Copy link
Collaborator

tghosth commented Jan 12, 2023
edited
Loading

This was added in response to #257

Verify that all authentication data provided by the user is checked for validity, even if it is unexpected. For example, if an authentication function checks a username and password and an MFA token, the server should always check the MFA value provided, even if the user was not expected to provide an MFA value.

Not sure if we should put this back for 5.0...

@tghosth tghosth reopened this Jan 12, 2023
@tghosth
Copy link
Collaborator

tghosth commented Jan 12, 2023

@stevespringett

@tghosth tghosth added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet _5.0 - prep This needs to be addressed to prepare 5.0 Community wanted We would like feedback from the community to guide our decision otherwise we will progress Community needed This issue will not be progressed without community input. Will be closed if stale. labels Jan 12, 2023
@elarlang elarlang assigned tghosth and unassigned vanderaj Jun 1, 2023
@tghosth tghosth closed this as not planned Won't fix, can't repro, duplicate, stale Jun 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tghosth tghosth

Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet Community needed This issue will not be progressed without community input. Will be closed if stale. Community wanted We would like feedback from the community to guide our decision otherwise we will progress _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
4.0
Development

No branches or pull requests
3 participants
@vanderaj @tghosth @securitybits