Re: Prevent Ajax Multi-Request in Struts 2

2013-10-07 Thread Alireza Fattahi
Fattahi afatt...@yahoo.com Sent: Thursday, 26 September 2013, 16:13 Subject: Re: Prevent Ajax Multi-Request in Struts 2 Hi,   Since XHR request can not be cross-domain, you can not get a CSRF through XHR( the browser will not allow other page to send a XHR to your server). The only option would

Re: Prevent Ajax Multi-Request in Struts 2

2013-10-07 Thread jlmagc
from T-Mobile -Original Message- From: Alireza Fattahi afatt...@yahoo.com Date: Mon, 7 Oct 2013 22:01:47 To: Struts Users Mailing Listuser@struts.apache.org Reply-To: Struts Users Mailing List user@struts.apache.org Subject: Re: Prevent Ajax Multi-Request in Struts 2 Jose,   I am still

Re: Prevent Ajax Multi-Request in Struts 2

2013-10-07 Thread jlmagc
- From: jlm...@gmail.com Date: Tue, 8 Oct 2013 05:23:05 To: Struts Users Mailing Listuser@struts.apache.org; Alireza Fattahiafatt...@yahoo.com Reply-To: jlm...@gmail.com Subject: Re: Prevent Ajax Multi-Request in Struts 2 What are you using on the client for the ajax calls? Dojo? Jquery

Re: Prevent Ajax Multi-Request in Struts 2

2013-09-30 Thread Alireza Fattahi
: RE: Prevent Ajax Multi-Request in Struts 2 To Mitigate add a nonce to the form https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) Saludos Martin-   Date: Thu, 26 Sep 2013 08:43:12 -0400 Subject: Re: Prevent Ajax Multi-Request in Struts 2 From: jlm...@gmail.com To: user

Re: Prevent Ajax Multi-Request in Struts 2

2013-09-26 Thread JOSE L MARTINEZ-AVIAL
Hi, Since XHR request can not be cross-domain, you can not get a CSRF through XHR( the browser will not allow other page to send a XHR to your server). The only option would be a normal post against your supposed-ajax URL. In order to protect against it, we check for an HTTP header that is sent

Re: Prevent Ajax Multi-Request in Struts 2

2013-09-26 Thread Paul Benedict
Alireza, use some sort of pre-authenticated token. Ignore requests that have a bad token. On Thu, Sep 26, 2013 at 7:43 AM, JOSE L MARTINEZ-AVIAL jlm...@gmail.comwrote: Hi, Since XHR request can not be cross-domain, you can not get a CSRF through XHR( the browser will not allow other page

RE: Prevent Ajax Multi-Request in Struts 2

2013-09-26 Thread Martin Gainty
To Mitigate add a nonce to the form https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) Saludos Martin- Date: Thu, 26 Sep 2013 08:43:12 -0400 Subject: Re: Prevent Ajax Multi-Request in Struts 2 From: jlm...@gmail.com To: user@struts.apache.org; afatt...@yahoo.com Hi

Prevent Ajax Multi-Request in Struts 2

2013-09-25 Thread Alireza Fattahi
Hi, We want to avoid multi-request sent via Ajax in struts 2 web based application. The `s:token` can be used in regular request-response jsp pages, but it will not work for ajax requests. The problem is the returned respond, which does not populate new value for struts token. I found this