[Owasp-csrfguard] Community Question regarding OWASP-CSRF

Sarah Baso sarah.baso at owasp.org
Tue Apr 8 17:23:06 UTC 2014

Azzeddine and others -

We received this question through our community "contact us" form - can you
help with responding?  The submitter is cc'ed.

*We have secured our public website using OWASP - CSRF guard and configured
TokenPerPage=true. We use JSF 2.0 (myfaces) for our front-end
development. Every thing works good as expected except when we use JSF
<f:ajax>. When we submit an ajax request from a page, the ajax request is
successful but the subsequent Http Request fails with a message ("potential
cross-site request forgery (CSRF) attack thwarted (user:<anonymous>%,
ip:x.x.x.x, uri:/ppr/secured/xxxx.faces, error:request token does not match
page token)"). *

*Below is our speculation :- In JSF the URL displayed in the browser
address bar is always the previous page's url ( as JSF 'POST' forwards the
request). And ajax request uses the current page's url. May be the ajax
request overrides the token. We are not sure if this could cause any issues
with token tracking - but we just want to hint you our speculation and get
your suggestion/guidance to fix this issue.*

Thanks in advance,
Sarah Baso
Executive Director
OWASP Foundation

sarah.baso at owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20140408/fa3a1b72/attachment.html>

More information about the Owasp-csrfguard mailing list