Re: [seam-dev] XSRF and JSF2
On Oct 03, 2008, at 03:31 , Shane Bryzak wrote:
> Because it's a random value that is generated for each form
> instance. A good random. Shane, you know what the JSF view
> identifier for server-side state saving is and how it is propagated
> onto the client and validated on the server? That's the XSRF
> protection. I'm wondering if you have the same in Seam Remoting and
> if in general, the randomness of the JSF identifier is good enough.
So, for this token to actually work, it must be propagated with
every single request that is sent to the server - included as a
request parameter with every single link, form submission, basically
every single GET and POST request that is made must include the
token, right?
Every POST, definitely. GET is supposed to be idempotent and safe, not
to modify resource state. So if you abuse it to be non-safe, then yes
it needs the same XSRF protection.
And sometimes you have POSTs that are also "safe", like a login form.
That's the stateless view we were talking about.