[Owasp-csrfguard] CSRFGuard problem

ray at allthisisthat.com ray at allthisisthat.com
Mon Jul 22 23:51:49 UTC 2013



I have added CSRFGuard to an existing project which is based on JSF using Seam 2.2.  My initial testing was very positive, until I started testing use cases which generated exceptions.  What I am finding is that Seam (or JSF) error handling is being interfered with by CSRFGuard. 
As a result, I can get into a situation where the app is frozen, and you can't even call up the app from a new tab with the login url.  I have to restart the server in order to get any pages to work.  The only thing I have found which allows me to proceed is to invalidate the session when
any potential CSRF attack is detected, by using the configuration option: "org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate".  Of course, this is extremely unfriendly, as the user is suddenly returned to the login page with no warning or message about
why.
I tried to configure an error page to redirect to by using:
org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.action.Redirect.Page=/CSRFError.html
but even this doesn't work as the conflict between Seam and CSRFGuard prevents the redirect from being processed.  Basically, Seam is stuck in error mode, and there is nothing I have been able to do about it.
Does anyone have
any suggestions?  Has anyone else had a similar problem?  I'm sure that there could equally well be conflicts with other frameworks besides JSF with Seam.   I am about to remove CSRFGuard and use Seam's s:token tag to protect the POST requests - which, of course, leaves GET
unprotected.  I'd really rather not get into that, if there is some clever configuration I could use which would enable me to continue to use CSRFGuard.
Thanks in advance,
Ray Clough
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130722/e33b5811/attachment.html>


More information about the Owasp-csrfguard mailing list