Hi, Since XHR request can not be cross-domain, you can not get a CSRF through XHR( the browser will not allow other page to send a XHR to your server). The only option would be a normal post against your supposed-ajax URL. In order to protect against it, we check for an HTTP header that is sent on any ajax request by our javascript framework (Dojo). A normal form can not be manipulate to add that header, so if the request is suppose to be ajax, and it does not have the header, you can reject it, because it is a CSRF attempt
Regards JL 2013/9/25 Alireza Fattahi <afatt...@yahoo.com> > Hi, > > We want to avoid multi-request sent via Ajax in struts 2 web based > application. > > The `s:token` can be used in regular request-response jsp pages, but it > will not work for ajax requests. The problem is the returned respond, which > does not populate new value for struts token. > > I found this issue at > http://stackoverflow.com/questions/13353577/howto-do-csrf-protection-in-struts2-application-for-ajax-requestsbut > I wonder if there is any better way for that? (I think this is a very > common issue which must have been managed in struts) > > > ~Regards, > ~~Alireza Fattahi >
