[seam-dev] XSRF and JSF2
Dan Allen
dan.j.allen at gmail.com
Wed Oct 1 12:32:05 EDT 2008
Christian,
Thanks for brings this to everyone's attention. It's a very critical
part of the discussion. I did anticipate this problem when I put forth
the idea that the automatic building of a view in restore view should
be configurable so that it only applies to certain "stateless" view
IDs.
For instance, on a login page, you don't have any credentials and are
requesting the server to authenticate you, so really the previous view
doesn't matter (unless of course there is some auto-login feature
enabled). A contact form is another great example. It would be no
different than implementing a GET request with a page action. No doubt
I am not thinking of some obscure attack, so feel free to cite where
my logic is faulty, but I believe there is such a thing as a stateless
page.
-Dan
On Tue, Sep 30, 2008 at 12:01 PM, Christian Bauer
<christian.bauer at gmail.com> wrote:
> Because it is back on Slashdot again today, I remembered why the "let's
> automatically build a view if we don't have one in RESTORE VIEW phase"
> proposal in JSF 2.0 was not sitting right with me.
>
> You need a little background on XSRF (Wikipedia or something) and see the
> older discussion here and especially my last comment:
>
> http://www.seamframework.org/Community/IsSeamRemotingVulnerableToCrossSiteRequestForgery
>
> I actually now think that we should have a cryptographically strong (and of
> course mandatory) view identifier for better XSRF protection. There are some
> other solutions worth discussing but AFAIK most of the good ones involve a
> token/session mapping of some kind, so we run into the "view has expired"
> problem again.
>
> _______________________________________________
> seam-dev mailing list
> seam-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/seam-dev
>
--
Dan Allen
Software consultant | Author of Seam in Action
http://mojavelinux.com
http://mojavelinux.com/seaminaction
NOTE: While I make a strong effort to keep up with my email on a daily
basis, personal or other work matters can sometimes keep me away
from my email. If you contact me, but don't hear back for more than a week,
it is very likely that I am excessively backlogged or the message was
caught in the spam filters. Please don't hesitate to resend a message if
you feel that it did not reach my attention.
More information about the seam-dev
mailing list