Yes, AJAX calls are an interesting point... If AJAX requests used the
random token even a single call would reset the token and break
things. If they did not use the random token they are a gaping
security hole.
I don't think we're going to do the random token thing, unless someone
sponsors and contributes it and by default it is turned off. If we do
the AJAX stuff will be an issue... and I can't think of a good
solution. The thought crossed my mind of using a stateless pattern and
have them not use the session (OFBiz services work this way by default
anyway), but then the browser would have to pass auth credentials with
each request, and the browser wouldn't generally know them.
Allowing X previous tokens to work opens a larger vulnerability window
when AJAX isn't used, and for long-lived pages there could be hundreds
of AJAX requests for a single page before the user clicks on a link to
go to another page.
Anyway, yes that is a conundrum.
-David
On Mar 5, 2009, at 4:02 PM, Al Byers wrote:
David,
I am trying to think of the effect this will have as applications
have more
and more AJAX calls. It seems like it would come down to
implementing a
central object for processing such requests and the developer would
not need
to worry about it, but then a mix of page requests and ajax calls
would be a
problem. I guess it would just mean that every page that is loaded
would
update the central ajax processing object with its token.
But then, a lot of times, there are asynchronous ajax requests going
on that
would make it impossible to keep a single token going. But,
generally, you
would only have one secure ajax request active at a time. Did you
say this
would only be for secure requests? Maybe allowing a rolling list of
the last
x tokens would help in the ajax environment when you want to allow
concurrent secure requests. Varying the size of "x" would make the
system
more or less secure, right?
In short, with more and more apps trying to emulate a desktop
environment,
this will be more of a problem, but on the other hand, such a client-
side
framework could take care of most of the work in making this happen.
-Al
