CSRF Token implementation in Struts 1
Question
We are using synchronizer token to prevent CSRF vulnerability as below
1> saveToken(request)
2> <input type="hidden"
name="<%=org.apache.struts.taglib.html.Constants.TOKEN_KEY%>"
value="<bean:write name="<%=Globals.TRANSACTION_TOKEN_KEY%>"/>">
3> isTokenValid(request)
The fix is not working due to token not being refreshed. what can be causing this.
Also what difference, below code will make
isTokenValid(request,reset)
1 answers
solution1
0 ACCPTED 2017-03-28 13:01:08
During the action that displays your edit page, you call the saveToken method.
saveToken(request)
This generated a new token and saves it on the session (the html:form tag detects this value and stores it as a hidden value on your html form). You don't really need to create an input hidden element in your JSP, cause the saveToken method together with html:form will create it.
During the action that saves your data, you call the isTokenValid method. This method checks that the value submitted matches the token saved on the session.
At this point and if the token is valid, you have two options:
You can call
resetToken, which clears the token on the session. So, if the user submits the page again, the token on the session should be cleared and the second call toisTokenValidwill fail.Pass true in as the second parameter to
isTokenValid. This will reset the token after checking it.isTokenValid(request,true)
You can find more info in Struts API of:
- isTokenValid(javax.servlet.http.HttpServletRequest request)
- saveToken(javax.servlet.http.HttpServletRequest request)
Hope this help you.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.