• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Ajax and CSRF vulnerability
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Ajax and CSRF vulnerability


  • Subject: Ajax and CSRF vulnerability
  • From: GILQUIN Pierre <email@hidden>
  • Date: Thu, 06 Dec 2018 14:57:17 +0000
  • Thread-topic: Ajax and CSRF vulnerability

Hi,

1) I used a hidden field wosid for prevent CSRF vulnerability for a standard
WOnder application (<input type="hidden" name="wosid"
value="wIrACwBfmFeiVyNcVMFkow"> ) .
I just compare this hidden field with the real sessionID.

Now, I want to used the same protection in some ajaxified components. Problem :
by default, the http post is partial and wosid is not sent.
« fullSubmit = true » cannot be easily used in this app.

Is there a way to config/adapt the Ajax Wonder framework so that the wosid will
be always be added to the partial formValues ?

2) This application must be deployed in a Tomcat environment. I have seen a
cookie with the Tomcat session JSessionID.
Is there a way to access the Tomcat JSessionId in the WOnder app in order to
compare it with the value in the cookie ?

Thanks for any help
Pierre

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

  • Follow-Ups:
    • Re: Ajax and CSRF vulnerability
      • From: Kai Lochbaum <email@hidden>
  • Prev by Date: Deployment to osx 10.14 Mojave
  • Next by Date: Re: Ajax and CSRF vulnerability
  • Previous by thread: Deployment to osx 10.14 Mojave
  • Next by thread: Re: Ajax and CSRF vulnerability
  • Index(es):
    • Date
    • Thread