Cross-site request forgery (CSRF) is a common web application vulnerability that has been around for years. Because it’s so prevalent in web applications, it has been listed on the as one of the top web vulnerabilities since 2007.
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. Because the victim sends the request (not the attacker), it can be very difficult to determine that the request represents a CSRF attack. In fact, if you have not taken specific steps to mitigate the risk of CSRF attacks, your applications are most likely vulnerable.
Within the Lightning platform, Salesforce has implemented an anti-CSRF token to prevent this attack. Every page includes a random string of characters as a hidden form field. Upon the next page load, the application checks the validity of this string of characters and does not execute the command unless the value matches the expected value. This feature protects you when using all of the standard controllers and methods.
You can see the CSRF setting at Setup -> Security Controls -> Session Settings.
With this setting enabled, whenever an Apex form is loaded, the platform includes a com.salesforce.visualforce.ViewStateCSRF parameter in the form, and that token is validated on submission. This token is inline with the previously mentioned anti-CSRF token requirements: it is unique per request and unique per user.
There are no built-in defenses for situations like this and developers should be cautious about writing pages that take action based upon a user-supplied parameter like the id variable in the preceding example. A possible work-around is to insert an intermediate confirmation page before taking the action, to make sure the user intended to call the page. Other suggestions include shortening the idle session timeout for the organization and educating users to log out of their active session and not use their browser to visit other sites while authenticated.
Because of Salesforce’s built-in defense against CRSF, your users might encounter an error when they have multiple Salesforce login pages open. If the user logs in to Salesforce in one tab and then attempts to log in to the other, they see an error, “The page you submitted was invalid for your session“. Users can successfully log in by refreshing the login page or attempting to log in a second time.