[seam-dev] JSF and CSRF
Christian Bauer
christian.bauer at gmail.com
Thu Mar 12 05:18:24 EDT 2009
On Mar 11, 2009, at 15:23 , Dan Allen wrote:
> Issue created and initial concept patch provided here https://jira.jboss.org/jira/browse/JBSEAM-4007
The patch seems to be working as expected and I still can't see why it
shouldn't work. ;) This is a nice solution that gives us independence
from the HTTP session but CSRF protection.
It won't work if the browser has cookies disabled. The best we can do
in that situation is: The <s:token> should use JavaScript to detect if
cookies are enabled and display a warning if not. We have to let users
know after the first request if it works or not, can't wait for the
second request to hit the server (with the cookies included).
function checkCookieSupport() {
if(!document.cookie) {
jQuery("body")
.prepend("<div class='cookieJavaScriptWarning'>" +
"This website uses a cross-site scripting
protection mechanism that requires" +
"cookies to be enabled in your browser. See " +
"<a href='http://seamframework.org/foo'>this
page</a> for more information." +
"</div>");
}
}
Optionally, we can also execute a WebRemote request to a new Seam
resource that will log a WARN. I'm not sure how useful this is going
to be though: There is nothing the developer can do and the operations
guys probably don't care if someone disables cookies.
More information about the seam-dev
mailing list