This week's book giveaway is in the Programmer Certification forum.
We're giving away four copies of OCP Oracle Certified Professional Java SE 21 Developer Study Guide: Exam 1Z0-830 and have Jeanne Boyarsky & Scott Selikoff on-line!
See this thread for details.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

CSRF attack on Asynchronous requests

 
Ranch Hand
Posts: 215
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We are using Spring MVC Architecture with Ext JS as UI. We are using multiple Asynch. requests in application. We want to implement CSRF token. Now, we can not use new CSRF token with each requests, because Asych. requests can failed. Now, another option is to keep same CSRF token per user session. Now, When we transmit CSRF token from server to UI via (HTTPRequestHeader or cookie) there is possibility that hacker can forge the requests and get CSRF token. Now, hacker can use token to send forge requests. so, how to improve CSRF implementation here.
 
Saloon Keeper
Posts: 15731
368
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
http://stackoverflow.com/questions/43302067/csrf-attack-on-asynchronous-requests
BeForthrightWhenCrossPostingToOtherSites

Why are you afraid that a hacker can forge the request? Are you using an insecure connection?
 
author & internet detective
Posts: 42018
916
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
An async request doesn't mean you don't have a session so it doesn't prohibit session CSRF tokens. It doesn't even prohibit per request tokens - you can have a set of issued tokens that you validate against and have each be valid a certain length of time.

How do you authenticate the user now? Are you using https?
 
mooooooo ..... tiny ad ....
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic