Security is significant for an online ecommerce store. There is a dangerous attack called CSRF – Cross-Site Request Forgery. You could find the description about it at http://en.wikipedia.org/wiki/Cross-site_request_forgery. The login action in bootstrap template is vulnerable to CSRF.
If a customer has logged into your store successfully, a validated login cookie for your store will be stored in his browser. After that, the bad guy just need to do is get his browser to make a request to your store on his behalf.
So, we have to generate a security token and add it into the login form. When the login data is posted to the server, we will check the token again to prevent the potential attack. If the token is not existed or same with the token stored in the session, the script will be stopped automatically.
Please apply the security patch for your store as follow:
Step 1. Download the security patch from https://www.dropbox.com/s/35lb5tkheqb887h/crsf.zip?dl=0
Step 2. Unzip it and you will find following three folds in it:
- ext
- includes
- templates
Step3. Just copy above three folds into your tomaotcart root directory to override the original ones.
That’s it. After complete above three steps, the security token will be generated automatically to prevent the potential attack.
Looking for quality TomatoCart hosting? Check out Arvixe Web Hosting.
can you please tell how to add this to the login box module for those who use it as well. as its no good if it s not covered please.