[seam-dev] XSRF and JSF2
Christian Bauer
christian.bauer at gmail.com
Thu Oct 2 21:25:28 EDT 2008
On Oct 03, 2008, at 03:20 , Shane Bryzak wrote:
> Why couldn't it just request the application's home page and parse
> the response to extract the token value?
Because it's a random value that is generated for each form instance.
A good random. Shane, you know what the JSF view identifier for server-
side state saving is and how it is propagated onto the client and
validated on the server? That's the XSRF protection. I'm wondering if
you have the same in Seam Remoting and if in general, the randomness
of the JSF identifier is good enough.
> Ok, so in this case prevention is the best medicine, and if I'm
> understanding correctly there's not much that can be done to protect
> against/detect an XSS attack once the security hole has been
> exploited.
I don't understand that. Let's forget about XSS for a moment and focus
on XSRF.
More information about the seam-dev
mailing list