[Owasp-csrfguard] Redirect with token not working when query parameters present and TokenPerPage=true

Patrick Radtke pradtke at stanford.edu
Tue Jul 5 20:07:17 EDT 2011


I needed support for appending the CSRF token as part of a redirect.
I saw this feature was available in git, but there is a bug that prevents it
from working when query parameters are present.
Basically 'isValidRequest' ignores query params, while 'getTokenValue' 

I access
which redirects to

After adding CSRF Guard
I access
the per page token is stored under the key '/AccountApp/editmf'
The redirect is to '/AccountApp/editmf?execution=e1s1' which
doesn't match the key, so the session token is used to construct the 
redirect url
This happens in 'getTokenValue()'

However, when isValidRequest after the redirect, only 
'/AccountApp/editmf' is used to check the pageTokens map,
so the token no longer matches.

The 'location' needs the query params stripped off. I'm not familiar enough
with servlets to know if there is standard call to do that.

(approx line 75 of CsrfGuardFilter)
String location = redirectResponse.getLocation()

This all works fine if TokenPerPage=false.



More information about the Owasp-csrfguard mailing list