Thanks, I was lootking Multi-Request preventation, is my problem equals to CSRF issue. ~Regards, ~~Alireza Fattahi
________________________________ From: Martin Gainty <mgai...@hotmail.com> To: Struts Users Mailing List <user@struts.apache.org> Sent: Friday, 27 September 2013, 0:12 Subject: RE: Prevent Ajax Multi-Request in Struts 2 To Mitigate add a "nonce" to the form https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) Saludos Martin- > Date: Thu, 26 Sep 2013 08:43:12 -0400 > Subject: Re: Prevent Ajax Multi-Request in Struts 2 > From: jlm...@gmail.com > To: user@struts.apache.org; afatt...@yahoo.com > > Hi, > Since XHR request can not be cross-domain, you can not get a CSRF through > XHR( the browser will not allow other page to send a XHR to your server). > The only option would be a normal post against your supposed-ajax URL. In > order to protect against it, we check for an HTTP header that is sent on > any ajax request by our javascript framework (Dojo). A normal form can not > be manipulate to add that header, so if the request is suppose to be ajax, > and it does not have the header, you can reject it, because it is a CSRF > attempt > > > Regards > > JL > > > > 2013/9/25 Alireza Fattahi <afatt...@yahoo.com> > > > Hi, > > > > We want to avoid multi-request sent via Ajax in struts 2 web based > > application. > > > > The `s:token` can be used in regular request-response jsp pages, but it > > will not work for ajax requests. The problem is the returned respond, which > > does not populate new value for struts token. > > > > I found this issue at > > http://stackoverflow.com/questions/13353577/howto-do-csrf-protection-in-struts2-application-for-ajax-requestsbutI > > wonder if there is any better way for that? (I think this is a very > > common issue which must have been managed in struts) > > > > > > ~Regards, > > ~~Alireza Fattahi > >
