With another account, but I'm the TS.
I have looked into this issue again, and there does seem to be something vulnerable.
Set-up: we have implemented a module, and inserted it on the website. This module does some processing in the back-end, but that is not relevant.
- I open this page in a browser, and intercept the submission with Fiddler
- I open the same page in a browser as another user, and note my session id on a piece of paper
- IOn the PC with Fiddler open, I replay and intercept the first request. I change the session id with the one I wrote on a piece of paper, and submit.
=> The request is approved and effectively executed.
This seems like CSRF to me. So I need some custom protection for all of my modules to protect against that?