[seam-dev] XSRF and JSF2
Christian Bauer
christian.bauer at gmail.com
Thu Oct 2 21:40:37 EDT 2008
On Oct 03, 2008, at 03:31 , Shane Bryzak wrote:
>> Because it's a random value that is generated for each form
>> instance. A good random. Shane, you know what the JSF view
>> identifier for server-side state saving is and how it is propagated
>> onto the client and validated on the server? That's the XSRF
>> protection. I'm wondering if you have the same in Seam Remoting and
>> if in general, the randomness of the JSF identifier is good enough.
>
> So, for this token to actually work, it must be propagated with
> every single request that is sent to the server - included as a
> request parameter with every single link, form submission, basically
> every single GET and POST request that is made must include the
> token, right?
Every POST, definitely. GET is supposed to be idempotent and safe, not
to modify resource state. So if you abuse it to be non-safe, then yes
it needs the same XSRF protection.
And sometimes you have POSTs that are also "safe", like a login form.
That's the stateless view we were talking about.
More information about the seam-dev
mailing list