We recently updated our solution to MVC 2, and this has updated the way that the AntiForgeryToken works. Unfortunately this does not fit with our AJAX framework any more. The problem is that MVC 2 now uses symmetric encryption to encode some properties about the user, including the user's Name property (from IPrincipal). We are able to...
As the title says. Any ideas? When accessing from desktop browser it's all ok. ...
I'm looking for a (hopefully straightforward) way to add CSRF protection to an application build on Spring WebFlow 2. An approach that migrates well to Spring WebFlow 3 (when released) is preferred. ...
Hi. I aw working on cross site authentication (some domains have got common authentication). So I want to send authentication data (login, password) to main domain from others. How should I use protect_from_forgery and how can I check if data received from valid domain? What I am thinking now is to turn off protect_from_forgery for se...
when building apps I use a token to prevent attacks on the forms each time a form is rendered it gets a new ONE TIME security token that i include in the form as a hidden field. this token is also stored in the session. when the form is sent, the token is verified against the token in the session to make sure the form is legit. This w...
So, I have a form, to make it a little more secure and potentially help prevent CSRF attacks I want to add a random token value in a hidden field that value is also stored server side in my session data. When should I issue a new token? Per form? Per page load where there is any form? Per session? I can render it invalid as soon as a fo...
I'm developing a GWT app running on the Google App Engine and wondering if I need to worry about Cross-site request forgery or is that automatically taken care of for me? For every RPC request that requires authentication, I have the following code: public class BookServiceImpl extends RemoteServiceServlet implements BookService { ...
I have just upgraded to Django 1.2 and I am trying to run my project. After I login I get Forbidden (403) CSRF verification failed. Request aborted. which is strange because I haven't enabled CSRF protection previously. Do I have to configure something else to have my project work? ...
Consider an ASP.NET MVC application using the Salt parameter in the [ValidateAntiForgeryToken] directive. The scenario is such that the app will be used by many customers. It's not terribly desirable to have the Salt known at compile time. The current strategy is to locate the Salt value in the web.config. [ValidateAntiForgeryToken(S...
I have to create a form dynamically via javascript (yeah, that sounds ugly, but read this for the reason) and wants to make its submission CSRF proof. Usually, I use the @csrf_protect decorator in my views, and the {% csrf_token %} tag in my templates, as recommanded in the doc. But what should I do with a client-side generated form ? If...
Hi, I have inherited some code in which I now have to add CSRF prevention and am trying to use the struts2 tokenSession interceptor to do this. I am adding a token to my form using the struts2 token tag like so: <form id="updateObject" name="updateObject" action="<%=request.getContextPath()%>/prv/updateObject.action" method="POST"> ...
Hi all, Is there any provisions in rails that would allow all AJAX POST requests from the site to pass without an authenticity_token? I have a Jquery POST ajax call that calls a controller method, but I did not put any authenticity code in it and yet the call succeeds. My ApplicationController does have 'request_forgery_protection' an...
Just want to get input from people who know. I was considering CSRF vulnerabilities, and the seemingly the most popular method I know to fight against it. That method is to create a token in the returned html and adding a cookie with the same value. So if a script tries to do a post they would have to guess the token thats embedded in th...
I`m trying to upload files to Django with SWFUpload. Found this article Django with SWFUpload. But found one problem. In Django 1.2 a csrf requires a csrf token to be send on every form submit, and it includes files that are send with SWFUpload.So uploading doesnt until i turn off csrf ( globally or for view using @csrf_exempt decorator...
Without cookies enabled, a form post will throw ActionController::InvalidAuthenticityToken. For the most part, I just handle the exception with a message stating that cookies are required to login to my application. However, one thing users of my application can do is create content to be shared with other people, who may or may not be ...
Hello, I want to realize a login for my site. I basically copied and pasted the following bits from the Django Book together. However I still get an error (CSRF verification failed. Request aborted.), when submitting my registration form. Can somebody tell my what raised this error and how to fix it? Here is my code: views.py: # Crea...
I have a Django view that receives POSTs which do not need to have the CSRF token. Therefore I used the @csrf_exempt decorator on the view. The problem is that sometimes I do not issue a response from the view (it's a Twitter bot, it receives an HTTP POST for every tweet and I do not want to respond to every tweet). When I don't issue a ...
Hi, within my django app I am storing strings of html in the db that will then be displayed on the users' home pages as "messages". Some of these messages contain forms, but not being written in the template language, I am not able to insert the csrf token (thus breaking the app). Is there a way to insert this token directly from wit...
I'm working on a completely ajax-driven application where all requests pass through what basically amounts to a main controller which, at its bare bones, looks something like this: if(strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') { fetch($page); } Is this generally sufficient to protect against cross-site requ...
Does it open any attack vector if an ajax-driven site uses a unique token stored as a javascript variable and verifies it with every request to prevent CSRF -- provided that the site is free from XSS holes? ...