Support for cross-site request forgery (CSRF) prevention was added in Windchill 10.0 M010 for the majority of data altering actions. The remaining actions were implemented in Windchill 10.0 M020.

The solution implemented by Windchill is to generate a unique token for each user when their session is established. This unique token is called a nonce and is cached in the user session. Each time a data altering URL is generated by the server for this session, the server includes the nonce in a hidden form field named CSRF_NONCE. When the user submits the form for the action, this hidden field is sent back to the server which can then compare the nonce in the request with the nonce in the session. If the nonce is missing or does not match, then the request is rejected with the following error: A potential security problem was detected. Refresh the page and try again. If the problem persists, contact your administrator. The events detected as potential CSRF attacks are also recorded in the audit logs.