[
https://issues.apache.org/jira/browse/WW-4539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14723627#comment-14723627
]
Lukasz Lenart commented on WW-4539:
-----------------------------------
Sure thing! But there is no attachment :(
> Handling array of tokens in token session interceptor to prevent CSRF attack
> in an async-request app
> ----------------------------------------------------------------------------------------------------
>
> Key: WW-4539
> URL: https://issues.apache.org/jira/browse/WW-4539
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
> Affects Versions: Future
> Reporter: Yasser Zamani
> Priority: Trivial
> Labels: security
> Fix For: 2.3.x
>
>
> We have an application based on Struts2 which may call multiple async actions
> via JQuery AJAX post or form post. To prevent this application from CSRF
> attacks I'm going to write my own interceptor which is very similar to
> Struts2 token session interceptor. But this one holds an array of valid
> tokens instead of one token to enable user to have async multiple requests
> with different valid token for each one. i.e. my own token TAG will generate
> different tokens in each inclusion even in one JSP and thread. So, different
> part of JSP can have their own async requests with valid tokens. Each token
> will be removed from array when corresponded request has finished.
> I decided to share my work to you for two reasons:
> 1. Maybe you are interested too to have this feature in Struts core.
> 2. To get your feedback if this solution works to prevent CSRF attacks. I
> just copy from token session interceptor and current token tag in Struts core
> but still I'm wory about thread safety of my work or any other issue.
> Thanks in advance!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
