Search...
FAQs Subscribe
Pie
FAQs
Recent topics Flagged topics Hot topics Best topics
Search...
Search within Security Search Coderanch
Advance search Google search
Register / Login
permaculture playing cards
Win a copy of Eclipse Collections Categorically: Level up your programming game this week in the Open Source Projects forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
advertise on coderanch book review grid meaningless drivel building better world book thread boost
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Ron McLeod
  • Jeanne Boyarsky
Sheriffs:
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

CSRF attack on Asynchronous requests

 
Rahul Ba
Ranch Hand
Posts: 215
posted 8 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
We are using Spring MVC Architecture with Ext JS as UI. We are using multiple Asynch. requests in application. We want to implement CSRF token. Now, we can not use new CSRF token with each requests, because Asych. requests can failed. Now, another option is to keep same CSRF token per user session. Now, When we transmit CSRF token from server to UI via (HTTPRequestHeader or cookie) there is possibility that hacker can forge the requests and get CSRF token. Now, hacker can use token to send forge requests. so, how to improve CSRF implementation here.
 
Stephan van Hulst
Bartender
Posts: 15743
368
posted 8 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
http://stackoverflow.com/questions/43302067/csrf-attack-on-asynchronous-requests
BeForthrightWhenCrossPostingToOtherSites

Why are you afraid that a hacker can forge the request? Are you using an insecure connection?
 
Jeanne Boyarsky
author & internet detective
Posts: 42173
937
I like...
Eclipse IDE VI Editor Java
posted 8 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
An async request doesn't mean you don't have a session so it doesn't prohibit session CSRF tokens. It doesn't even prohibit per request tokens - you can have a set of issued tokens that you validate against and have each be valid a certain length of time.

How do you authenticate the user now? Are you using https?

[OCP 21 book] | [OCP 17 book] | [OCP 11 book] | [OCA 8 book] [OCP 8 book] [Practice tests book] [Blog] [JavaRanch FAQ] [How To Ask Questions] [Book Promos]
Other Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, TOGAF part 1 and part 2

 
"To do good, you actually have to do something." -- Yvon Chouinard
Clean our rivers and oceans from home
https://www.kickstarter.com/projects/paulwheaton/willow-feeders
reply
reply
    Bookmark Topic Watch Topic
  • New Topic
Boost this thread!
Similar Threads
More...