Alireza, use some sort of pre-authenticated token. Ignore requests that have a bad token.
On Thu, Sep 26, 2013 at 7:43 AM, JOSE L MARTINEZ-AVIAL <jlm...@gmail.com>wrote: > Hi, > Since XHR request can not be cross-domain, you can not get a CSRF through > XHR( the browser will not allow other page to send a XHR to your server). > The only option would be a normal post against your supposed-ajax URL. In > order to protect against it, we check for an HTTP header that is sent on > any ajax request by our javascript framework (Dojo). A normal form can not > be manipulate to add that header, so if the request is suppose to be ajax, > and it does not have the header, you can reject it, because it is a CSRF > attempt > > > Regards > > JL > > > > 2013/9/25 Alireza Fattahi <afatt...@yahoo.com> > > > Hi, > > > > We want to avoid multi-request sent via Ajax in struts 2 web based > > application. > > > > The `s:token` can be used in regular request-response jsp pages, but it > > will not work for ajax requests. The problem is the returned respond, > which > > does not populate new value for struts token. > > > > I found this issue at > > > http://stackoverflow.com/questions/13353577/howto-do-csrf-protection-in-struts2-application-for-ajax-requestsbutI > wonder if there is any better way for that? (I think this is a very > > common issue which must have been managed in struts) > > > > > > ~Regards, > > ~~Alireza Fattahi > > > -- Cheers, Paul