[Owasp-csrfguard] ajax not sending token sometimes?

Chris Hyzer mchyzer at isc.upenn.edu
Sat May 17 14:19:09 UTC 2014


I am seeing weird behavior where ajax will send the token from a page most of the time, but some links it doesn't.  Has anyone ever experienced this?  I was trying to debug the javascript to figure out why, and it wasn't obvious so I just decided in my framework to set the token in the header on ajax also, so now sometimes it is there twice, sometimes once.  But on the server side the header has the token twice (comma separated).  Anyways, I made a patch to make that work on the server side (if comma separated token that doesn't match the session token, then try the prefix before the comma).  Now it is working again.  I made a pull request for this.  This will not affect people not having this problem.

Thanks,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20140517/e27232df/attachment.html>


More information about the Owasp-csrfguard mailing list