hi
guys,
I'm planing to write a CSRF prevention filter.And here are 2 approaches
Approach 1: Use the httpservlet header "referer" to verify the invocation of
an action. Easy to implement, but hard to determine whether the source which
header "referer" is from is authorized or not. For my part, only Apply to
rough verification.
Approach 2: Add a *secret token* every per request to prove its legality.
The difficulty is how to add this token into requests. Yes, we can modify
the *static link address*(like http://aaa/bbb.jsp →
http://aaa/bbb.jsp?token=xxxxx) and *Form*( add <input type = "hidden"
name="token" value="xxxxx">).
But the problem is, consider, for example, these *actions *defined in struts
xml configuration. When an action is performed, the* **redirect address* *
has* already been decided, not along with the* token.......*then your check
would get failed.....
I'd like to know how to fix it.
any help, recommendation, proposal would be greatly appreciated!
Regards,
Shi
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
