[Owasp-csrfguard] The meaning of NewTokenLandingPage

Anders Båtstrand anderius+csrfguard at gmail.com
Thu Jul 14 06:44:52 EDT 2011


I am trying to use CSRFGuard in an application, but I am having some
troubles. First, let me start with a question about NewTokenLandingPage.

If I read the source code correct, the NewTokenLandingPage is written to the
response if session.isNew(), even if you visit an unprotected page.

I do not see the purpose of this, as the page does not require a token. Is
there someone that would like to elaborate on the meaning of the

The code I am talking about is in CsrfGuardFilter.java:

			if(session.isNew()) {

				csrfGuard.writeLandingPage(httpRequest, redirectResponse);

			} else if(csrfGuard.isValidRequest(httpRequest, redirectResponse)) {

				filterChain.doFilter(httpRequest, redirectResponse);

			} else {
				/** invalid request - nothing to do - actions already executed **/


Best regards,

Anders Båtstrand

PS: Is there any plans for migrating the project to Maven, and using
automatic testing? I would be very happy to help in that matter.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20110714/bc7dc314/attachment.html 

More information about the Owasp-csrfguard mailing list