csrf

问题 I want to bring a doubt about JWT tokens and CSRF from the Stormpath post that explain the advantages and disadvantages of storing the JWT either in localStorage or cookies. [...] if you are reading values out of a cookie using JS, that means you can't set the Httponly flag on the cookie, so now any JS on your site can read it, thus making it the exact same security-level as storing something in localStorage. I'm trying to understand why they recommend adding the xsrfToken to the JWT. Doesn't

问题 I want to build a rails app with two different protect_from_forgery strategies: one for the web application, and one for the API. In my application controller I have this line of code: protect_from_forgery with: :exception in order to prevent CSRF attacks, it works just fine. In my API namespace, I created an api_controller that inherits from my application controller, and that is the parent class of all the other controllers in the API namespace, and I changed the code above with: protect

问题 Here I have simple MVC3 application with two form posts. To protect CSRF attack, I have used antiforgerytoken html helpers in both forms as per guidance here. Here are my two models: public class User { public string FirstName { get; set; } public string LastName { get; set; } } public class Employee { public int Id { get; set; } public string Name { get; set; } } Here is my homeController.cs: public class HomeController : Controller { public ActionResult Index() { return View(); } [HttpPost]

问题 I was reading this article (http://weblogs.asp.net/dixin/archive/2010/05/22/anti-forgery-request-recipes-for-asp-net-mvc-and-ajax.aspx) about how to prevent CSRF attacks. It seems like the solution is to create a tag inside each form. <%: this.Html.AntiForgeryToken(Constants.AntiForgeryTokenSalt)%> However, I really don't want to copy and paste that code inside of each form. I would like to extend or override the BeginForm to create a BeginSecureForm that automatically adds the

问题 I know there's the usual way to render CSRF token hidden input with form_rest , but is there a way to render just CSRF input itself? I've overridden {% block field_widget %} in theme to render a piece of additional text. But as CSRF token is rendered in input field too and I got a piece of text I don't need next to a hidden field. So I'd like to render it separately with an argument that tells it not to render this text. 回答1: you can do it with {{ form_widget(formView._token) }} 回答2: If you

问题 I am developing a comments box that will save the comment through a JQuery AJAX call. JQuery Here's the JQuery code for that (this works seamlessly): $(".post-comment").click(function() { var $form = $(this).closest("form"); if($form) { $.ajax({ type: "POST", url: Routing.generate('discussion_create'), data: $form.serialize(), cache: false, success: function(html){ alert("Success!"); // Output something } }); } else { alert("An error occured"); } return false; }); Symfony2 Controller The

问题 within my django app I am storing strings of html in the db that will then be displayed on the users' home pages as "messages". Some of these messages contain forms, but not being written in the template language, I am not able to insert the csrf token (thus breaking the app). Is there a way to insert this token directly from within the python files i'm editing? i'm looking for something along the lines of: csrf_token = django.csrf.generate() message = "press the button please: <form><input

问题 I've been implementing a Rails 4 application with an API. I want to be able to call the API from mobile phones and the webapp itself. I came across this note while researching protect_from_forgery : It's important to remember that XML or JSON requests are also affected and if you're building an API you'll need something like: class ApplicationController < ActionController::Base protect_from_forgery skip_before_action :verify_authenticity_token, if: :json_request? protected def json_request?

问题 I am trying to get my unit tests working again after enabling CSRF tokens and SSL in my CakePHP 3 app. How do I create or generate a token for a test like the following? Or do I just disable it for testing purposes? public function testLogin() { $this->get('/login'); $this->assertResponseOk(); $data = [ 'email' => 'info@example.com', 'password' => 'secret' ]; $this->post('/login', $data); $this->assertResponseSuccess(); $this->assertRedirect(['controller' => 'Users', 'action' => 'dashboard'])

问题 When I deploy my app on the server, first time I can log in without problems. But when I log out I get "403 Forbidden" on the logout post request. Then I cannot log in successfully because I get the 403 error on the login request. Ctrl+F5, trying to log in again and... it works, but only one time. @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/apps", "/sites", "/users").authenticated() .and() .csrf() .csrfTokenRepository