adhpawal / csrf-filter Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/csrf-filter
Automatically exported from code.google.com/p/csrf-filter
What steps will reproduce the problem?
1. A hacker captures a request.
2. Modifies it as he wants (or creates a brand new request - just use the same
csrf parm and cookie names)
3. The csrf tokens in parms and in cookies stay as they where.
What is the expected output? What do you see instead?
Expected would be the detection that the request comes from a different user.
The csrf-filter only checks that the token values in parms and in cookies are
identicall. So, it accepts the request.
What version of the product are you using? On what operating system?
* current version from the trunk
* OS - any
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 12 Aug 2014 at 8:46
If you are using the application for more than 1 hour the cookie will time out
and will be refreshed with a new value. The result is that you're getting the
error 400.
I'm using version 2.4 of the library.
The request is to make the duration of the cookie configurable using an
init-param.
Original issue reported on code.google.com by [email protected]
on 14 Jan 2013 at 11:36
i have gwt application and i would like to use your CSRF Filter, Could you
please give me any advice how to add the ${csrf} to my gwt application.
appreciate your advice.
Thanks
Original issue reported on code.google.com by [email protected]
on 11 Mar 2014 at 3:20
What steps will reproduce the problem?
1. Design a form with method=Post
2. load the form in 1 browser tab, at this point the form has the csrf token
(say 123) and the value of the cookie is also 123.
3. Load the same form in browser tab 2, at this point the csrf token in the
page is (say 456) and the value of the cookie is now 456.
4. Now go back to tab 1 and submit that form, at this time, the csrf filter
will receive (123 from the page) and cookie value is 456 and the page will get
a HTTP 500 error which is incorrect.
What is the expected output? What do you see instead?
Authentication error should not occur.
What version of the product are you using? On what operating system?
Latest version of csrf-filter on Tomcat on windows 7.
Please provide any additional information below.
I like the fact that the token is not stored in the server-side session,
however, if the above issue cannot be solved, I see that there could be false
positives.
Original issue reported on code.google.com by [email protected]
on 11 Jul 2013 at 9:38
Performance: Check if logging is enabled.
Original issue reported on code.google.com by [email protected]
on 24 Feb 2015 at 9:44
Attachments:
I'd been going through the code. However, I do not see a place where the
${csrf} is replaced with actual value. However, it is being queried by
request.getParameter (...). How the value of ${csrf} is set?
Any help on this is appreciated.
Original issue reported on code.google.com by [email protected]
on 16 Jan 2013 at 9:03
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.