[Owasp-csrfguard] The meaning of NewTokenLandingPage

Patrick Radtke pradtke at stanford.edu
Thu Jul 21 20:19:05 EDT 2011


On 7/14/11 3:44 AM, Anders Båtstrand wrote:
> Hi
>
> I am trying to use CSRFGuard in an application, but I am having some 
> troubles. First, let me start with a question about NewTokenLandingPage.
>
> If I read the source code correct, the NewTokenLandingPage is written 
> to the response if session.isNew(), even if you visit an unprotected 
> page.
>
> I do not see the purpose of this, as the page does not require a 
> token. Is there someone that would like to elaborate on the meaning of 
> the NewTokenLandingPage?
>
> The code I am talking about is in CsrfGuardFilter.java:
>
> if(session.isNew()) {
>
>
> csrfGuard.writeLandingPage(httpRequest, redirectResponse);
>
>
> } else if(csrfGuard.isValidRequest(httpRequest, redirectResponse)) {
>
>
>
>
> filterChain.doFilter(httpRequest, redirectResponse);
>
>
> } else {
> /** invalid request - nothing to do - actions already executed **/
>
>
> }
We started moving our app to the white list approach as well.
We filter '/*' and then white list other things and have run into the 
same issue you describe.
For us the whole concept of NewTokenLandingPage is a non starter for us 
since we need to support
browsers with javascript disabled.

I removed the whole 'NewTokenLandingPage' landing page from the code 
CsrfGuardFilter
and now everything works. Non javascript users don't just get a blank page.
I think an option to disable NewTokenLandingPage may be the way to go.
I am also not sure the purpose of NewTokenLandingPage, since 
CsrfGuardListener
creates the token when the session is established. Maybe Eric Sheridan 
can weigh in.

Anyhow, the code changes we are deploying with are currently:

     if(csrfGuard.isValidRequest(httpRequest, redirectResponse)) {
                 filterChain.doFilter(httpRequest, redirectResponse);
             } else {
                 /** invalid request - nothing to do - actions already 
executed **/
             }

I'd be happy to set up a branch on github tomorrow for anyone that wants 
to pull this
change (and a redirect bug fix)

-Patrick


More information about the Owasp-csrfguard mailing list