[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16991242#comment-16991242 ]
Samuel Trégouët edited comment on OFBIZ-11306 at 12/9/19 9:09 AM: ------------------------------------------------------------------ Hi James, thanks for your quick reply q1: I can't see any detail on owasp.org page for token length and algorithm... and reference to java.sun.com SecureRandom page is broken… But if we only need to generate a random token maybe java standard library is enough q2: I was talking about Set not List. Moreover as you suggest a Map with no more than 50 entries I think time difference between map lookup and list lookup will be really small. So we should not consider performance but only the easiest structure to work with. another question q3: why do you not consider get request ? an attacker can build an html form with `method="get"` was (Author: stregouet): Hi James, thanks for your quick reply q1: I can't see any detail on owasp.org page for token length and algorithm... and reference to java.sun.com SecureRandom page is broken… q2: I was talking about Set not List. Moreover as you suggest a Map with no more than 50 entries I time think difference between map lookup and list lookup will be really small. > POC for CSRF Token > ------------------ > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS > Affects Versions: Upcoming Branch > Reporter: James Yong > Assignee: Jacques Le Roux > Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306.patch, OFBIZ-11306.patch > > > CRSF tokens are generated using CSRF Guard library and used in: > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)