tags:

views:

57

answers:

1
Q: 

why it is good idea to disable REFRESH in web application(for security purposes)

Hi, we are doing XSRF fixes for our code. we are using the session token to request token comparison method to achieve this. in case when session token is not equal to request token we will be redirecting to error page.

Problem:Once we are in Main Menu page, if the user "refresh" the page, it is throwing XSRF issue. Reason: As there wont be any request token(when we do a page refresh). since request token is NULL and it is not equal to session token it was throwing XSRF error.

The users of the application are not very happy with this approach. so is there any way to enable page refresh? or is it absolutely necessary/important to disable the page refresh(for security)?

Thanks in advance.

A: 

We use refresh in our page and I don't see any security issues. The request token is part of the URL. When the page is refreshed, the request token is still in the URL.

How are you sending the request token?

ZZ Coder  2010-04-23 12:48:16
i am setting the request token as a hidden variable in the JSP. for the first time when the page loads since we dont have request token, we are having a token which will be TRUE. So the initial request goes through the filter. From then on application depends on request tokens. once the first page loads, that initial token will be made to FALSE. so now we dont have initial token or request token for the first page. so on refresh this fails.
micheal  2010-04-26 05:56:52
Sounds like your design doesn't allow refresh. You need to send the initial token on every page request.
ZZ Coder  2010-04-26 11:21:13

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java