csrf

In a web page we provide a hyperlink (GET) that the User may click on to authenticate: @Html.ActionLink("Please Login", "MyMethod", "MyController") This maps to the following controller method which returns a View: [RequireHttps] public ActionResult MyMethod() { return this.View(new MyModel()); } This View contains the Form in which the User supplies their credentials; the Form contains the required AntiForgeryToken. When the User submits the form, the following Controller method is called: [HttpPost] [RequireHttps] [ValidateAntiForgeryToken] public ActionResult MyMethod(MyModel model) { // my

UPDATE : GWT 2.3 introduces a better mechanism to fight XSRF attacks. See http://code.google.com/webtoolkit/doc/latest/DevGuideSecurityRpcXsrf.html GWT's RPC mechanism does the following things on every HTTP Request - Sets two custom request headers - X-GWT-Permutation and X-GWT-Module-Base Sets the content-type as text/x-gwt-rpc; charset=utf-8 The HTTP request is always a POST, and on server side GET methods throw an exception (method not supported). Also, if these headers are not set or have the wrong value, the server fails processing with an exception "possibly CSRF?" or something to that

I am testing some csrf stuff, and I am wondering if it is possible to POST a cross domain ajax request with Content-Type: application/json Every time I try to do this with jQuery: $.ajax({ type: "post", url: "http://someotherdomain.com/endpoint", contentType: "application/json; charset=UTF-8", data: {"a": "1"}, dataType: "json", crossDomain: true, success: function(data){ alert(data); }, failure: function(data){ alert(data); } }); I always send HTTP OPTIONS requests instead of HTTP POSTs . Note- that I don't care about receiving data back, a one way post is all I need. Note- that the content

I am using FOSUserBundle on my Symfony2 Website. Now I am working on an API to allow registration over a REST api call. I have overridden the RegistrationController of FOSUserBundle: ApiRegistrationController.php: /** * @Route("/user/", defaults = { "_format" = "json" }, requirements = { "_method" = "POST" }) * */ public function registerAction(Request $request) { [...] $form = $formFactory->createForm(new ApiRegistrationFormType(), $user); [...] } ApiRegistrationFormType.php: /** * @param OptionsResolverInterface $resolver */ public function setDefaultOptions(OptionsResolverInterface

I'm using Laravel's CSRF protection on my public site. However since Laravel uses a session to maintain this, I'm worried that a user might walk away from their computer and return to a page they have previously left open, only to find ajax requests don't work. The ajax requests don't work because the session has timed out (and the token no longer validates?). If these users were "logged in" users, then I could simply redirect them back to the login page. Since they are public users, then the user is forced to refresh the page to get it back working (awkward). Or am I wrong about this? Would

In Django template I used: <form action="/user" method="post">{% csrf_token %} {{ form.as_p|safe }} <input type="submit" value="Submit" /> </form> But error when I change to jinja2 template engine : Encountered unknown tag 'csrf_token' My question: csrf_token protection in jinja2 is required? If required, how to do this? Thanks in advance! It seems Jinja2 works differently: Use <input type="hidden" name="csrfmiddlewaretoken" value="{{ csrf_token }}"> where in Django templates you use {% csrf_token %} source : http://exyr.org/2010/Jinja-in-Django/ I know this is an old question, but I wanted to

I have a single page application, having sensitive content, and needs to be secured. This question is specific with securing against XSS and CSRF attacks. Explanation: It has been suggested many places, for example here to use cookies on top of localStorage while storing the auth-token. A very nice explanation is also provided in answer of another question here . Based on these answers, for secured contents, it is suggested to use cookies with ‘httpOnly’ and ‘secure’ options to avoid XSS; and implement CSRF protection by ourselves (something like anti-forgery-token in asp.net ) (Note that I am