[Owasp-csrfguard] CSRF implementation for hyperlink with <sj:a>

Hafe regee hafi.reg at gmail.com
Tue Feb 9 20:21:24 UTC 2016


Hi,



We are planning to implement CSRFGuard in our application. Though we are
able to set csrf token for FORM submits, we see issue in implementing for
hyperlinks.

There are 2 issues currently we are facing.


1 - We are using <sj:a> tags for defining the links. CSRFGuard suggest
using the <csrf:a> tags but <csrf:a> tags are not a replacement for <sj:a>
as some of the components like targets are not available with CSRF anchor
tag. We tried <s:token> options and passing token as a param in the <s:url>
tag, but redirecting to result page fails due to new tokens generated. In
this case, on click of link the page is getting refreshed throwing the
error:

*" Form has already been processed or no token supplied. Please try again".
*



2- On click of hyperlink, a popup opens - Here we are trying to append the
tokens to url but csrf token as getting exposed/displayed in the url.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20160209/90b01f2f/attachment.html>


More information about the Owasp-csrfguard mailing list