Hi
We have just conducted a security check on our site and found that both $LoginForm and the MemberLoginForm (at http://example.com/Security/login) do not use a SecurityID. According to the docs, form objects automatically contain a SecurityID to help prevent Cross-Site Request Forgery (https://docs.silverstripe.org/en/3.2/developer_guides/security/secure_coding/).
After a bit of hunting I found within the __construct function of LoginForm.php:
$this->disableSecurityToken();
Why is disableSecurityToken being called here? Is there a particular situation where this is needed? How is it possible to override it?
Any advice please? Thanks in advance.
Cheers Antony