[Owasp-csrfguard] first request is not protected?

Chris Hyzer mchyzer at isc.upenn.edu
Tue Oct 1 19:17:37 UTC 2013

Not sure if this is the culprit... but I don't really understand it: (from CsrfGuardFilter)

			if (session == null) {
				// If there is no session, no harm can be done
				filterChain.doFilter(httpRequest, (HttpServletResponse) response);

Isnt it possible a request to come not from an existing session that would be single-signed on with a cookie, and authenticated, authorized, and perform the action?  Seems like this shouldn't pass through, but should be checked by csrfguard (even if it is an option to do so for people who want it).  I guess this assumes the Java session timeout is exactly the same or greater than the authentication timeout.  At Penn that is not the case.  You could be timed out from the Java app, but the single sign on cookie will get you right back in without redirect or user-input, I think this is a gap.  Another use case is you have a bunch of apps on one apache, you are logged in to one, the single sign on cookie is valid, but you have no session on another, it would be vulnerable to CSRF.


-----Original Message-----
From: Chris Hyzer 
Sent: Tuesday, October 01, 2013 1:11 AM
To: owasp-csrfguard at lists.owasp.org
Subject: first request is not protected?

I have a protected URL: /whatever, and the first request can go through CSRFguard, but subsequent requests cannot (they go to the error page).  Shouldn't the first request by default be protected unless that page is allowed in the properties file?  Is there a setting I can change to make the first request be protected?  Granted I understand that users will need to login, but I would prefer if all requests to protected resources are protected unless the CSRF token is there.  I tried this setting and it didn't seem to work...  

# New Token Redirect Page
# Defines where to send a user if the token is being generated for the first time.
# Failure to define a redirect page will allow CSRF attacks to work for unauthenticated
# users


More information about the Owasp-csrfguard mailing list