[Owasp-csrfguard] CSRFGuard and protecting links of pages sent out in emails

P Manchanda manchandap at yahoo.com
Thu Nov 29 07:04:03 UTC 2012


I have one query related to implementing CSRFGuard Filter. I am not sure if this mailing list is the correct place to do so. If this mailing list is not the correct place, please guide me about posting my query.

My Query:

We implemented OWASP's CSRFGuard to protect our pages in the web application. For example */myCsrfProtected.jsp. We have injected CSRF token at all occurrences of */myCsrfProtected.jsp within the application. Everything works fine.

However, we have other use case where the link to this protected page is sent out to users in an email. Think about a link to a report. Now when user clicks on this link, the token is missing or invalid and hence the CSRFGuard filter blocks the request assuming this to be a CSRF attack. (this is what filter has been implemented for :-) )

Is there any way to handle this use case and allow access to CSRF protected page from outside the application. 
Thks & brgds 
P Manchanda
Mobile: +91-9811210374 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20121128/376cebcc/attachment.html>

More information about the Owasp-csrfguard mailing list