I tried using OWASAP mechanism to protect my legacy application form CSRF, but i got issues with navigation and back button. I then tried using struts-1 token mechanism but faced the same issue. The problem i think with token injection mechanism is initially we will generate a token in jsp and store it in session and perform some action.
Consider A.jsp. lets take token value 1 in the jsp and we will store the same in the session. Now we will validate it in the filter/Action class. After that we will do some other operation in B.jsp and we will have token new value 2 in the jsp and in session.After validation form server we will be having value 2 in session. Now if we navigate using browsers back button and move to page 1 and submit it, it will load the values from cache and the A.jsp will have the value 1 as token, After submitting A.jsp at this point it will show CSRF error as it contradicts the value in session.
Is there a way to implement the CSRF prevention mechanism without actually disturbing the application?
Aucun commentaire:
Enregistrer un commentaire