On Mar 11, 2009, at 15:23 , Dan Allen wrote:
Issue created and initial concept patch provided here
https://jira.jboss.org/jira/browse/JBSEAM-4007
The patch seems to be working as expected and I still can't see why it
shouldn't work. ;) This is a nice solution that gives us independence
from the HTTP session but CSRF protection.
It won't work if the browser has cookies disabled. The best we can do
in that situation is: The <s:token> should use JavaScript to detect if
cookies are enabled and display a warning if not. We have to let users
know after the first request if it works or not, can't wait for the
second request to hit the server (with the cookies included).
function checkCookieSupport() {
if(!document.cookie) {
jQuery("body")
.prepend("<div class='cookieJavaScriptWarning'>" +
"This website uses a cross-site scripting
protection mechanism that requires" +
"cookies to be enabled in your browser. See " +
"<a
href='http://seamframework.org/foo'>this
page</a> for more information." +
"</div>");
}
}
Optionally, we can also execute a WebRemote request to a new Seam
resource that will log a WARN. I'm not sure how useful this is going
to be though: There is nothing the developer can do and the operations
guys probably don't care if someone disables cookies.