Allow users logged in accessing home module with referer
The CSRF protection of vtigerCRM is done by checking the referer
field.
If a user with logged-in session is accessing vtigerCRM with referer URL other than the $site_URL
, the request could be a result of CSRF attack (e.g. clicking on malicious link that ask the victim browser to send request with logged-in session to perform some privileged operation). This checking is safe and usually necessary.
However, for users opens vtigerCRM from a normal hyperlink, the user will be blocked. Here is the detail scenario:
- The company established an internal website with shortcuts for all internal services.
- The website (e.g.
https://internal.my.com
) contains a hyperlink for vtigerCRM service (e.g.https://vtigercrm.my.com
). - A vtigerCRM user logged in to the
vtigercrm.my.com
and he/she finished his/her job on the vtigerCRM and closed the browser tab. - A few minutes later. He/She clicked hyperlink for
https://vtigercrm.my.com
fromhttps://internal.my.com
, and he/she will see thehttps://vtigercrm.my.com
showingIllegal request
since the browser is still carrying valid login session and the browser insertedreferer: https://internal.my.com
that not match the URL specified by$site_URL
.
The CSRF checking is sometimes not necessary for home module since the home module is just an entrance page. By checking there should be no other post or get parameters, I can ensure the accessing for home module via hyperlink from any other website is safe.