We are attempting to get an instance of Omeka-S running on our university’s servers. As part of the process, our network security department performs a scan on the site prior to allowing it to be exposed publicly. They found that we are subject to form resubmission with previously entered data on the forgot-password form and recommend we implement a Put/Request/Get (PRG) pattern to mitigate this weakness. What is the best way to address this situation, preferably with as little overriding existing Omeka-S code as possible?
What’s the specific issue or finding here?
The forgot-password page is already a post-redirect-get: you submit your email, then you’re redirected to the login form.
Thank you for your reply. I confirmed that I cannot resubmit forms with old data. I suspect the issues found by the automated scanner may be false positives. I await a response from our IT Security people.
Confirmed – this was a result of the automated security scan. A human assessment has cleared this issue for us. Thanks for your reply.