1

I am implementing tokens for csrf prevention, I am putting a value of csrf token in session attribute like this :

session.setAttribute("csrfToken", csrfToken);

My login page gets that attribute and submit that csrf token to servlet , My login.jsp looks like this :

  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib uri="http://jakarta.apache.org/struts/tags/struts-html" prefix="html" %>
<%@ taglib uri="http://devel.payo.org/tlibs/payo-core" prefix="payo" %>
<%@ page session="true" %>

<html:html>

***<input id="token" type="hidden" value="${sessionScope.csrfToken}" />***
<c:choose><c:when test="${not empty loggedUser}">
    <head>
        <meta http-equiv="refresh" content="0;URL=${pathPrefix}/home">
    </head>
</c:when><c:otherwise>

    <jsp:include page="/pages/general/layout/head.jsp" />
    <payo:customizedFilePath type="style" name="login.css" var="loginUrl" groupId="${empty loggedUserId ? cookie.groupId.value : ''}" groupFilterId="${empty loggedUserId ? cookie.groupFilterId.value : ''}" />    
    <link rel="stylesheet" href="<c:url value="${loginUrl}" />">    

    <jsp:include flush="true" page="/pages/access/includes/loginDefinitions.jsp" /> 

    <payo:includeCustomizedFile type="static" name="login.jsp" groupId="${empty loggedUserId ? cookie.groupId.value : ''}" groupFilterId="${empty loggedUserId ? cookie.groupFilterId.value : ''}" />   

    <script>
        if (!is.ie6) {
            var td = $('loginRegistration');
            var div = $('loginRegistrationDiv');
            if (td && div) {
                div.style.height = (td.getHeight() - 10) + "px";
            }
        }
        ensureLoginForm();
    </script>

</c:otherwise></c:choose>

</html:html>

The problem I am facing when I try to get the value of hidden input which contains the token from the session ,I am getting just null... I will be very thankful If someone can help.This is how I retrieve the value.

 String token = request.getParameter("token");
Talib
  • 1,134
  • 5
  • 31
  • 58
  • How are you calling this request ? since there is no name to this input, I guess this could be the problem – AxelH Nov 21 '16 at 15:06
  • but the input has "id="token", isn't it enough ? – Talib Nov 21 '16 at 15:07
  • Depends on what you used ... for example, in a `form` this is the name that's used to find the field. Here, I have no idea of what you used from what you explained – AxelH Nov 21 '16 at 15:09
  • I tried to get the value in the servlet like this , String token = request.getParameter("token"); – Talib Nov 21 '16 at 15:10
  • In which Servlet ? This one or in the one that will manage the request ? Did you even tried to check the input from the client ? In javascript ? `document.getElementById('token').value` ? – AxelH Nov 21 '16 at 15:13
  • This is duplicate question please refer [this link](http://stackoverflow.com/questions/17274775/session-getattribute-in-jsp-is-giving-null-value) – Yogesh W Nov 21 '16 at 15:21
  • @YogeshW I am doing the same way as in the answer. – Talib Nov 21 '16 at 16:01
  • @Talib, add the code where you set the value in the session. You did use the Session instance from the Request ? Without answers, I can't help ... – AxelH Nov 24 '16 at 12:47
  • How do you submit that csrf token to servlet? – Roman C Nov 24 '16 at 16:34
  • @RomanC isn't the value of the token input will be automatically submitted on the page submission ? – Talib Nov 25 '16 at 21:51
  • 1
    @Talib It depends on the answer of the previous comment. You said that `My login page gets that attribute and submit that csrf token to servlet`, but it's unclear how did you do that because there's no code that submits that csrf token to whatever servlet. – Roman C Nov 25 '16 at 21:57
  • @RomanC sorry for late reply ,I was out... the problem I think is not only in submission, because even when I try to access the value of the token in jsp it says null.... – Talib Nov 28 '16 at 07:01
  • If it's not in submission, then I'm out of ideas. – Roman C Nov 28 '16 at 13:24
  • please share your jsp and servlet code. – Sanjay Dec 01 '16 at 10:27
  • @RomanC you are right the hidden value in the form is not being submitted ,can you please suggest how can I make it to submit ? – Talib Dec 05 '16 at 09:38
  • @Talib Wrap your JSP input tags with ``. – Roman C Dec 05 '16 at 11:26

3 Answers3

0

To get 'token' parameter from request you have to give input element name as 'token'

<input name='token' .../>

request.getParamerer(string name) Method get parameter based on name attribute

hiren
  • 1,742
  • 13
  • 20
  • actually it looks like it was even null in the jsp as well, its basically getting the session attribute value as null at "" but I dont know why. – Talib Nov 22 '16 at 05:32
  • could you try `<%=session.getAttribute("csrfToken")%>` instead of using EL – hiren Nov 22 '16 at 07:05
  • I tried this but still receiving null . /> – Talib Nov 22 '16 at 07:19
  • Then there must be problem with setting session attribute. Check the code to confirm if attribute is being set properly. – hiren Nov 22 '16 at 07:45
  • Yes, I had checked it after setting the token by : System.out.println(session.getAttribute("csrfToken")); and the value is correct. – Talib Nov 22 '16 at 07:51
  • Would you share the code to where you set the session attribute and also confirm that you are not getting session value before setting it? – hiren Nov 26 '16 at 06:51
-1

if you are creating new session using <%@ page session="true" %> then from where your token will come using ${sessionScope.csrfToken}.make session="false" and then try

Sanjay
  • 2,481
  • 1
  • 13
  • 28
  • before coming to login.jsp , you are creating one session and putting your token in session,now coming to login.jsp with same session but here you have created new session using <%@ page session="true" %> so previously created session will be destroyed with all param and new session will created and your token is not in new session , so try after removing <%@ page session="true" %> or make it false – Sanjay Nov 28 '16 at 07:20
  • Well, if `session` is set to `true` in this directive, it doesn't necessarily creates a new session if one already exists. – 31piy Nov 30 '16 at 07:51
-1

I suspect that the below line is making a new session while coming to this page, which is causing it be null.

<%@ page session="true" %>

Can you please make it <%@ page session="false" %> and then cross check. I strongly believe, it should work.

dildeepak
  • 1,349
  • 2
  • 16
  • 34