[Owasp-csrfguard] Handling Browser Refresh while using CSRF Guard

RajaManickam RajaGounder 2 rrajagounder3 at sapient.com
Mon Jan 27 10:47:39 UTC 2014


Hi Azzedine,
Thanks a lot for your response.

Please see my response below.


  1.  CSRFGuard version is 3.0
  2.  App server is Tomcat
  3.  Sorry, there is no screenshot that would help since it's very specific to the application
  4.  Please see the log file attached.

Regards,
Raja


From: Azzeddine Ramrami <azzeddine.ramrami at owasp.org<mailto:azzeddine.ramrami at owasp.org>>
Date: Monday, January 27, 2014 3:23 PM
To: Sapient <rrajagounder3 at sapient.com<mailto:rrajagounder3 at sapient.com>>
Cc: "owasp-csrfguard at lists.owasp.org<mailto:owasp-csrfguard at lists.owasp.org>" <owasp-csrfguard at lists.owasp.org<mailto:owasp-csrfguard at lists.owasp.org>>
Subject: Re: [Owasp-csrfguard] Handling Browser Refresh while using CSRF Guard

Hi Raja,
Could you give me the following:
- CSRFGuard version
- Witch application server you use (Jboss, WebSphere, etc.) ?
- A copy of a screenshot
- A log from you application server

Thanks.
Azzeddine



On Mon, Jan 27, 2014 at 8:40 AM, RajaManickam RajaGounder 2 <rrajagounder3 at sapient.com<mailto:rrajagounder3 at sapient.com>> wrote:
Hi,
We have integrated CSRF Guard security framework in our project. The framework is configured to work on POST requests. It's working well and looking for some help on handling the browser refresh.

The problem description is below.

The user submits the form and there are server side validation errors. The user is forwarded back to the same page and error message is displayed at the form field. When the page is refreshed ,
the previous security token is sent to the server (although a new token is rendered on the page) and the request is identified as potential security threat. As a result, the user session is invalidated.

Could you please let me know the best practices around handling these scenarios?

Regards,
Raja




_______________________________________________
Owasp-csrfguard mailing list
Owasp-csrfguard at lists.owasp.org<mailto:Owasp-csrfguard at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-csrfguard




--
Azzeddine RAMRAMI
+33 6 65 48 90 04.
Enterprise Security Architect
OWASP Leader (Morocco Chapter)
Mozilla Security Projects Mentor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20140127/cd1d4bbc/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: error.txt
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20140127/cd1d4bbc/attachment.txt>


More information about the Owasp-csrfguard mailing list