csrf-protection

Spring CSRF token life

淺唱寂寞╮ 提交于 2019-12-10 14:57:24
问题 I am implementing CSRF protection using Spring security as per the doc One question I have is: When this token will get invalidated by the Spring security? Does the token gets invalidated for each request submit? 回答1: By default the CSRF token is stored in the HTTP session and is generated on a per-session basis. See the official Spring Security documentation for more details. Therefore, the default lifecycle of CSRF tokens is the session duration. Like everything else in Spring Security, the

Using PHP cURL to get CSRF-Token from URL and post it to another URL within the same session

我是研究僧i 提交于 2019-12-10 12:18:58
问题 I'm trying to create a queue system based on information gathered from supermariomakerbookmark.nintendo.net website. First, I make a GET request in the URL https://supermariomakerbookmark.nintendo.net/courses/7E00-0000-0220-574B to find the CSRF-Token, present in the field: <meta name="csrf-token" content="xxxxxx"> After that, I need to make a POST request to https://supermariomakerbookmark.nintendo.net/courses/7E00-0000-0220-574B/play_at_later, passing the CSRF-Token and the Cookie in the

codeigniter csrf protection error with ajax

六月ゝ 毕业季﹏ 提交于 2019-12-10 11:49:54
问题 i have a small problem here which i cannot fix,This post goes through but the response returns a “500 internal server error” who to fix it? after search in CI forum i found this this link codeigniter-csrf-protection-with-ajax but i cant solve by it.can any one help me? 回答1: You should include the csrf key in your AJAX POST request to get the action to work. However, you're only GETTING data, so using method:'get' instead of method:'post' should do the trick and make your request work. See

How to protect web application from cookie stealing attack?

☆樱花仙子☆ 提交于 2019-12-10 11:29:39
问题 My web application's authentication mechanism currently is quite simple. When a user logs in, the website sends back a session cookie which is stored (using localStorage ) on the user's browser. However, this cookie can too easily be stolen and used to replay the session from another machine. I notice that other sites, like Gmail for example, have much stronger mechanisms in place to ensure that just copying a cookie won't allow you access to that session. What are these mechanisms and are

In what case can CSRF-exempt be dangerous?

白昼怎懂夜的黑 提交于 2019-12-10 01:56:51
问题 This question is more a re-insurance than one directly about how to code. As an autodidact i did not have a lot of possibilities to ask professionals such things, so i try here. I have read the documents in the django-docs ( https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/ ) and some info on that page: http://cwe.mitre.org/top25/#CWE-352 As far as i have understood, django delivers a token (some kind of pin-code) to a user. And to verify it really is him, he has to return it the next

Django 1.2.4 CSRF verification failed

柔情痞子 提交于 2019-12-09 10:32:40
问题 Django 1.2 is consistently giving me this CSRF verification error when I perform a POST form. I "think" I've done all the things asked in the Django 1.2 docs, namely, Ensure MIDDLEWARE_CLASSES is included with 'django.middleware.csrf.CsrfViewMiddleware' Ensure the {% csrf_token %} <form action="/words/new/" method="post"> {% csrf_token %} {{ form.as_p }} <input type="submit" value="Enter" /> </form> Use RequestContext in my response def create(request): if request.method == 'POST': form =

Unique form token disables multitasking for the user

喜夏-厌秋 提交于 2019-12-09 06:56:48
问题 If I want to protect my site and users from Cross Site Forgery (CSRF) attacks, I can generate a unique token $token = md5( time() * rand ); on every page that has a form. The token is is submitted in a hidden input field echo '<input type="hidden" name="token" value="'.$token.'">'; and at the same time stored in a session variable $_SESSION['token'] = $token; . I will check if on any submitted form if($_POST['token'] == $_SESSION['token']) and proceed accordingly. However some users may

Codeigniter with jqGrid: use csrf_token

强颜欢笑 提交于 2019-12-09 03:30:31
If in config file I set csrf_token to false and everything works. However when csrf_token is true , my grid can only get data from database but not update or anything else. I'm looking through the posts on this site about Сodeigniter+jqGrid but still haven't understand what should I do. I can get the value of csrf_token but where it should be included? var lastsel; var addl_params = { ci_csrf: $.cookie('ci_csrf_token') }; $("#grid").jqGrid({ url:'url to script', datatype: "json", mtype: 'GET', colNames:['id', 'Nickname', 'Breed'], colModel:[ {name:'id',index:'id', width:55, sortable:false,

protect form hijacking hack

依然范特西╮ 提交于 2019-12-08 19:55:31
Yes hello today I discovered a hack for my site. When you write a msg on a users wall (in my communitysite) it runs a ajax call, to insert the msg to the db and will then on success slide down and show it. Works fine with no problem. So I was rethinking alittle, I am using POST methods for this and if it was GET method you could easily do ?msg=haxmsg&usr=12345679. But what could you do to come around the POST method? I made a new html document, made a form and on action i set "site.com/insertwall.php" (the file that normally are being used in ajax), i made some input fields with names exactly

Why does the CSRF token in Rails not prevent multiple tabs from working properly?

我与影子孤独终老i 提交于 2019-12-08 17:07:50
问题 After reading about how the CSRF protection works in Rails, I tried to trigger CSRF protection by doing this: Note: We are using cookie based sessions. Visit login page. Check CSRF token in meta => abc123 Open a 2nd browser tab, and visit the same login page. CSRF token in meta is different => def456 Go back to 1st tab. Submit login credentials. I expected this to fail, because the 2nd tab generated a new, different CSRF token. When the login form submits, shouldn't the token that gets
订阅 csrf-protection