Struts 1中的CSRF令牌实现

Question

We are using synchronizer token to prevent CSRF vulnerability as below

1> saveToken(request)
2> <input type="hidden"
   name="<%=org.apache.struts.taglib.html.Constants.TOKEN_KEY%>"
   value="<bean:write name="<%=Globals.TRANSACTION_TOKEN_KEY%>"/>">
3> isTokenValid(request) 

The fix is not working due to token not being refreshed. what can be causing this.

Also what difference, below code will make

isTokenValid(request,reset)

Answer 1

During the action that displays your edit page, you call the saveToken method.

saveToken(request)

This generated a new token and saves it on the session (the html:form tag detects this value and stores it as a hidden value on your html form). You don't really need to create an input hidden element in your JSP, cause the saveToken method together with html:form will create it.

During the action that saves your data, you call the isTokenValid method. This method checks that the value submitted matches the token saved on the session.

At this point and if the token is valid, you have two options:

1. You can call resetToken , which clears the token on the session. So, if the user submits the page again, the token on the session should be cleared and the second call to isTokenValid will fail.

2. Pass true in as the second parameter to isTokenValid . This will reset the token after checking it.

    isTokenValid(request,true) 

You can find more info in Struts API of:

1. isTokenValid(javax.servlet.http.HttpServletRequest request)
2. saveToken(javax.servlet.http.HttpServletRequest request)

Hope this help you.