how to have per-session token value in struts2

Question

How can we have persistent token value(or Form Key) during the valid session in struts2? When <s:token/> is in the forms, after submitting the form, the token's value gets changed. It causes this problem that users can not open 2 browser tab and work with them(Only one tab is active due to the tokens' unique value per form). how can I solve this with struts2 and have durable token value per session(Not per form)?

I think overriding the interceptor can solve the problem, but i wanna to consider other options

@RomanC :It causes this problem that users can not open 2 browser tab and work with them(Only one tab is active due to the token's unique value per form) — Amin Sh, Oct 02 '13 at 14:23
@RomanC: that's right! So I don't want this mechanism! I want the token to be generated just once per session(Not per request) — Amin Sh, Oct 02 '13 at 14:31
@RomanC: I think overriding the interceptor can solve the problem, but I wanna to consider other options — Amin Sh, Oct 02 '13 at 14:47
ok, while you are looking for other options see http://stackoverflow.com/a/18823084/573032 — Roman C, Oct 02 '13 at 15:14
@RomanC: please look at my comment for coding_idiot's answer — Amin Sh, Oct 03 '13 at 14:19
Tokens are used primarily for solving double-submit-problem, and it also qualify for csrf prevention. — Roman C, Oct 03 '13 at 16:40

score 0 · Answer 1 · answered Oct 02 '13 at 21:27

0

Don't use token at all

If you require something per session, use the session itself. Token is meant to prevent request replay attacks. So just having one per session doesn't make sense.

answered Oct 02 '13 at 21:27

coding_idiot

13,526
10
65
116

Please look at this link: http://stackoverflow.com/questions/10466241/new-csrf-token-per-request-or-not and this chat: http://chat.stackoverflow.com/rooms/10926/discussion-between-laurencei-and-zerkms ---- Conclusion: Per session tokens, prevent CSRF attacks. Isn't it right? – Amin Sh Oct 03 '13 at 12:57
@AminSh This answer doesn't have a sense, may be it has a sense of humor but no more. OWASP has nothing against the per session token, but this token can't be used to prevent double submission. – Roman C Oct 03 '13 at 16:49
The token per session can be an prevent CSRF and it must be something other than session id http://security.stackexchange.com/questions/22903/why-refresh-csrf-token-per-form-request , although the struts token seems to be best for double submission it can also be used as CSRF preventer. – Alireza Fattahi Jan 25 '16 at 07:30

score 0 · Answer 2 · edited Oct 17 '16 at 14:44

I also had same problem, in my functionality there is preview which opens in new tab. User can preview multiple times, so it was throwing a token exception. I got one code as at start of function I wrote :

String downloadTokenName = TokenHelper.getTokenName();
String downloadToken = TokenHelper.getToken(downloadTokenName);

At end of function in finally I reassign token value as :

TokenHelper.setSessionToken(downloadTokenName, downloadToken);

It solved my problem.

how to have per-session token value in struts2

2 Answers2