[ https://issues.apache.org/jira/browse/WW-4539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14740260#comment-14740260 ]
ASF GitHub Bot commented on WW-4539: ------------------------------------ Github user aleksandr-m commented on the pull request: https://github.com/apache/struts/pull/49#issuecomment-139461467 Do we really need a list of tokens? Currently if you use different names for tokens they all will be [stored into session](https://github.com/apache/struts/blob/master/core/src/main/java/org/apache/struts2/util/TokenHelper.java#L91). Does using token tag with a name solve you problem? > Handling array of tokens in token session interceptor to prevent CSRF attack > in an async-request app > ---------------------------------------------------------------------------------------------------- > > Key: WW-4539 > URL: https://issues.apache.org/jira/browse/WW-4539 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors > Affects Versions: Future > Reporter: Yasser Zamani > Priority: Trivial > Labels: security > Fix For: 2.5 > > > We have an application based on Struts2 which may call multiple async actions > via JQuery AJAX post or form post. To prevent this application from CSRF > attacks I'm going to write my own interceptor which is very similar to > Struts2 token session interceptor. But this one holds an array of valid > tokens instead of one token to enable user to have async multiple requests > with different valid token for each one. i.e. my own token TAG will generate > different tokens in each inclusion even in one JSP and thread. So, different > part of JSP can have their own async requests with valid tokens. Each token > will be removed from array when corresponded request has finished. > I decided to share my work to you for two reasons: > 1. Maybe you are interested too to have this feature in Struts core. > 2. To get your feedback if this solution works to prevent CSRF attacks. I > just copy from token session interceptor and current token tag in Struts core > but still I'm wory about thread safety of my work or any other issue. > Thanks in advance! -- This message was sent by Atlassian JIRA (v6.3.4#6332)