2

I have a struts2 webapp in which I need to implement CSRF protection. For statis forms it is pretty straight forward. I just need to activate the tokenSession interceptor & then set <s:token/> in the form to be submitted. (explained here and here)

But the problem appears when I need to enable CSRF protection for POST AJAX calls (I am using jQuery) which are not necessarily submitted via forms. I face the issue of re-using token when making subsequent AJAX calls.

Any pointers or different approaches are appreciated.

Chantz
  • 5,883
  • 10
  • 56
  • 79

2 Answers2

3

Currently I have resolved the issue by generating tokens for AJAX requests and sending it with the normal response like so -

    Map<String, String> tokenInfo = Maps.newHashMap();
    tokenInfo.put("struts.token.name", TokenHelper.getTokenName());
    tokenInfo.put(TokenHelper.getTokenName(), TokenHelper.setToken());

I will abstract out a util method out of this & have the Actions that are token-activated to return this as part of response for actions which will be executed repeatedly without refresh of the page.

I am still looking for an elegant solution to this though.

Chantz
  • 5,883
  • 10
  • 56
  • 79
  • We are facing this issue too. Did you find better solutions? Also., can you explain more about your solution? Do you make any changes in JSP files too. – Alireza Fattahi Sep 25 '13 at 19:11
0

Can't you generate a Token and use it as parameter in the ajax call ?

For the subsequent AJAX calls, you can use a per-user Token,

not necessarily a per-request Token,

as explained in this SO answer: Do I need a CSRF token for jQuery .ajax()?

Community
  • 1
  • 1
Andrea Ligios
  • 49,480
  • 26
  • 114
  • 243
  • 1
    Thanks but I was thinking of all also preventing double submits as well. "Per user" approach will not help that much for that. – Chantz Nov 14 '12 at 15:21