Re: [seam-dev] XSRF and JSF2
Christian Bauer wrote:
On Oct 03, 2008, at 03:20 , Shane Bryzak wrote:
> Why couldn't it just request the application's home page and parse
> the response to extract the token value?
Because it's a random value that is generated for each form instance.
A good random. Shane, you know what the JSF view identifier for
server-side state saving is and how it is propagated onto the client
and validated on the server? That's the XSRF protection. I'm wondering
if you have the same in Seam Remoting and if in general, the
randomness of the JSF identifier is good enough.
So, for this token to actually work, it must be propagated with every
single request that is sent to the server - included as a request
parameter with every single link, form submission, basically every
single GET and POST request that is made must include the token, right?
> Ok, so in this case prevention is the best medicine, and if I'm
> understanding correctly there's not much that can be done to protect
> against/detect an XSS attack once the security hole has been exploited.
I don't understand that. Let's forget about XSS for a moment and focus
on XSRF.
Good idea.
_______________________________________________
seam-dev mailing list
seam-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/seam-dev