[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-4076) Client side state saving CSRF protection
Dan Allen (JIRA)
jira-events at lists.jboss.org
Wed Apr 8 19:02:23 EDT 2009
[ https://jira.jboss.org/jira/browse/JBSEAM-4076?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12461339#action_12461339 ]
Dan Allen commented on JBSEAM-4076:
-----------------------------------
I should clarify that this patch doesn't provide CSRF protection when using client-side state saving. That has already been guaranteed by the <s:token> design. What this patch provides is protection against a double form submit when using client-side state saving. It transfers control of the render stamp to the server so that it is possible to clear this value after the first submit. When the render stamp is stored in the view root with client-side state saving, there is no way to clear the value (since it is being delivered by the client each time).
> Client side state saving CSRF protection
> ----------------------------------------
>
> Key: JBSEAM-4076
> URL: https://jira.jboss.org/jira/browse/JBSEAM-4076
> Project: Seam
> Issue Type: Patch
> Reporter: Stuart Douglas
> Assignee: Dan Allen
> Attachments: bookingExampleUsingToken.diff, clientSideProtection.patch, tokenCdkTag.diff
>
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list