[Owasp-csrfguard] CSRFGuard and protecting links of pages sent out

Fernando Mayoral fernandomayoral at uxorit.com
Thu Nov 29 14:23:07 UTC 2012


Hi, 

I believe that what you need is a custom unprotected page which injects
the token and redirect to the protected page, but then any user could

get access, so you also need to generate an unique key per mail, store
it (maybe with an expiration date and an access count?), and append the

key as a parameter in the link to your unprotected landing page, so
when you get the http request you can recover the key and validate it in


order to verify that the user is someone who received the email, and
redirect him to the protected page.

 

Or, if that page isn't supposed to be protected, you can just exclude it
in Owasp.CsrfGuard.properties as 
org.owasp.csrfguard.unprotected.mypage=/myUnprotectedPage.jsp

 

Hope it helps!

 

 

 Fernando Mayoral

 Desarrollador de Software

 fernandomayoral at uxorit.com <mailto:fernandomayoral at uxorit.com> 
 Skype: fernandomayoral.uxorit

 

 Sinclair 3139 Piso 2
 C1425DGU, Buenos Aires, Argentina
 54 11 4782.9659

 La Rioja 2071 Piso 8
 B7600GTL, Mar del Plata, Argentina
 54 22 3491.9250

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20121129/6bc9d33f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 1587 bytes
Desc: image001.gif
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20121129/6bc9d33f/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 2577 bytes
Desc: image002.jpg
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20121129/6bc9d33f/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.gif
Type: image/gif
Size: 515 bytes
Desc: image003.gif
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20121129/6bc9d33f/attachment-0001.gif>


More information about the Owasp-csrfguard mailing list