GWT & XSRF Protection

Question

I'm looking at possible solutions to protect my GWT app against XSRF.

If I understand GWT's solution correctly - it makes available a Servlet which you use to both generate the token on the client-side (when calling your RPC endpoint) and to validate on the server-side (when the call hits your service).

Does this solution only cater for RPC calls? Surely we need it to cover all user generated requests to the server?

Any other recommended XSRF solutions (I'm also looking at OWASP's CSRFGuard)?

What types of user generated requests are you using besides GWT RPC? — Nick Siderakis, Jun 12 '11 at 03:17
We have some servlets, a Jack Rabbit repository etc which the user can generate requests for. — Markus Coetzee, Jun 14 '11 at 18:22

score 5 · Answer 1 · answered Jun 12 '11 at 03:17

5

I modified the GWT Sample App to be protected against XSRF. This solution is roughly based of the solution provided in the GWT developer docs. http://code.google.com/p/xsrf-safe/

answered Jun 12 '11 at 03:17

Nick Siderakis

1,961
2
21
39

I looked at your solution, what I am wandering, where do you create and handle the cookie on the client side? Because i do not use google-apps, how can I use the cookie JSESSIONID, which does not have a value, where do you set the value of the cookie, and how do you handle the cookie... can you explain this, or point me to a link? tnx – Darwly Jun 20 '12 at 13:21
"JSESSIONID cookie is created/sent when session is created. Session is created when your code calls request.getSession() or request.getSession(true) for the first time." -http://stackoverflow.com/questions/595872/under-what-conditions-is-a-jsessionid-created – Nick Siderakis Jun 20 '12 at 14:09
In the example request.getSession() is called in Xsrf_Safe.jsp http://code.google.com/p/xsrf-safe/source/browse/trunk/war/Xsrf_Safe.jsp – Nick Siderakis Jun 20 '12 at 14:11
So you are acctually giving the session value as an javascript variable,"xsrf" : %=XsrfTokenUtil.getToken(request.getSession().getId())%>" but where do you call Cookie.create()... how come you have already generated cooke.. does this follows using google-apps-engine and the sessions enabled? Because my code requires to expicitly create the cookie with the given name – Darwly Jun 20 '12 at 14:40
The JSESSIONID cookie is created automatically by the server when using sessions. It is not App Engine specific, it's part of JSP. The GWT client doesn't use cookies directly, the cookies just maintains the session. The JSP uses the session id to generate a secure token, and injects the token as a javascript variable. The client just reads the javascript variable and passes it back in the HTTP header in each GWT-RPC request. The server then validates the token from the header. What are you trying to accomplish? – Nick Siderakis Jun 20 '12 at 16:27
If you just need to rename the JSESSIONID cookie, there are some options depending on which server you use. http://stackoverflow.com/questions/877064/changing-cookie-jsessionid-name – Nick Siderakis Jun 20 '12 at 16:28
What's the purpose of hashing the session ID? – user1050755 Mar 21 '14 at 14:38

GWT & XSRF Protection

1 Answers1

Linked