[jira] [Commented] (WW-4539) Handling array of tokens in token session interceptor to prevent CSRF attack in an async-request app

Thu, 10 Sep 2015 23:08:59 -0700 

    [ 
https://issues.apache.org/jira/browse/WW-4539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14740260#comment-14740260
 ] 

ASF GitHub Bot commented on WW-4539:
------------------------------------

Github user aleksandr-m commented on the pull request:

    https://github.com/apache/struts/pull/49#issuecomment-139461467
  
    Do we really need a list of tokens? Currently if you use different names 
for tokens they all will be [stored into 
session](https://github.com/apache/struts/blob/master/core/src/main/java/org/apache/struts2/util/TokenHelper.java#L91).
 Does using token tag with a name solve you problem?


> Handling array of tokens in token session interceptor to prevent CSRF attack 
> in an async-request app
> ----------------------------------------------------------------------------------------------------
>
>                 Key: WW-4539
>                 URL: https://issues.apache.org/jira/browse/WW-4539
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core Interceptors
>    Affects Versions: Future
>            Reporter: Yasser Zamani
>            Priority: Trivial
>              Labels: security
>             Fix For: 2.5
>
>
> We have an application based on Struts2 which may call multiple async actions 
> via JQuery AJAX post or form post. To prevent this application from CSRF 
> attacks I'm going to write my own interceptor which is very similar to 
> Struts2 token session interceptor. But this one holds an array of valid 
> tokens instead of one token to enable user to have async multiple requests 
> with different valid token for each one. i.e. my own token TAG will generate 
> different tokens in each inclusion even in one JSP and thread. So, different 
> part of JSP can have their own async requests with valid tokens. Each token 
> will be removed from array when corresponded request has finished.
> I decided to share my work to you for two reasons:
> 1. Maybe you are interested too to have this feature in Struts core.
> 2. To get your feedback if this solution works to prevent CSRF attacks. I 
> just copy from token session interceptor and current token tag in Struts core 
> but still I'm wory about thread safety of my work or any other issue.
> Thanks in advance! 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to