[Owasp-csrfguard] Issue with Token PerPage

Ahmed Tayeh hamadatayeh at gmail.com
Fri May 4 07:42:08 UTC 2018


Hello,



I’m using OWASP CSRFGUARD in our Java project (Java 8, Spring, WebLogic
Server, Spring MVC).  Our project target is an EAR file that is deployed in
WebLogic server (12.1.3)



I have configured the project as described in the different guidelines and
manuals (see more details below). We wanted to generate a token per page in
which we put

org.owasp.csrfguard.TokenPerPage=true

org.owasp.csrfguard.TokenPerPagePrecreate=false



Nonetheless, the token is always the same per session.



My configuration is the same as the example in this repo:
https://github.com/aramrami/OWASP-CSRFGuard



Our configuration for the project can be summed up:

1.  We add the dependency to the projects 3.1.0

2.  When we build the EAR we remove   csrfguard.js and csrfguard.properties
from the  csrfguard-3.1.0. The reason behind that is that we need our
configuration to be the only part that is loaded.

<include>META-INF\csrfguard.js</include>

<include>META-INF\csrfguard.properties</include>

3.  Csrfguard.js is added to our presentation layer (in Resources) without
any modification

4.  Crsfguard.properties and csrfguard.overlay.properties are added to the
same folder (Resources)

5.  Csrfguard.js is added again in WEB-INF

6.  Some configuration

org.owasp.csrfguard.Enabled = true

org.owasp.csrfguard.Logger=
eu.europa.ec.efp.util.csrguard.logging.SLF4JLogger

org.owasp.csrfguard.Ajax=true

org.owasp.csrfguard.JavascriptServlet.sourceFile =
WEB-INF/Owasp.CsrfGuard.js

org.owasp.csrfguard.JavascriptServlet.domainStrict = false

org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true

org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true

org.owasp.csrfguard.JavascriptServlet.injectGetForms = true

org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true





An important thing to note, we tested without doing step 2 (We kept the
files in the csrfguard-3.1.0 project, but we still have a token per session
and not per page.





We thought that the behaviour of the project might be different in EAR that
WAR. We will be grateful for any help or suggestion to get a token per page.



Thanks in advance,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20180504/d1b7b31e/attachment.html>


More information about the Owasp-csrfguard mailing list