[seam-dev] XSRF and JSF2

[Christian Bauer]

On Oct 03, 2008, at 03:20 , Shane Bryzak wrote:

> Why couldn't it just request the application's home page and parse  
> the response to extract the token value?

Because it's a random value that is generated for each form instance.  
A good random. Shane, you know what the JSF view identifier for server- 
side state saving is and how it is propagated onto the client and  
validated on the server? That's the XSRF protection. I'm wondering if  
you have the same in Seam Remoting and if in general, the randomness  
of the JSF identifier is good enough.

> Ok, so in this case prevention is the best medicine, and if I'm  
> understanding correctly there's not much that can be done to protect  
> against/detect an XSS attack once the security hole has been  
> exploited.

I don't understand that. Let's forget about XSS for a moment and focus  
on XSRF.