Jose, I am still in the middel of this problem :( Can you please let me know what do you mean by "check HTTP header" ?!
~Regards, ~~Alireza Fattahi ________________________________ From: JOSE L MARTINEZ-AVIAL <jlm...@gmail.com> To: Struts Users Mailing List <user@struts.apache.org>; Alireza Fattahi <afatt...@yahoo.com> Sent: Thursday, 26 September 2013, 16:13 Subject: Re: Prevent Ajax Multi-Request in Struts 2 Hi, Since XHR request can not be cross-domain, you can not get a CSRF through XHR( the browser will not allow other page to send a XHR to your server). The only option would be a normal post against your supposed-ajax URL. In order to protect against it, we check for an HTTP header that is sent on any ajax request by our javascript framework (Dojo). A normal form can not be manipulate to add that header, so if the request is suppose to be ajax, and it does not have the header, you can reject it, because it is a CSRF attempt Regards JL 2013/9/25 Alireza Fattahi <afatt...@yahoo.com> > Hi, > > We want to avoid multi-request sent via Ajax in struts 2 web based > application. > > The `s:token` can be used in regular request-response jsp pages, but it > will not work for ajax requests. The problem is the returned respond, which > does not populate new value for struts token. > > I found this issue at > http://stackoverflow.com/questions/13353577/howto-do-csrf-protection-in-struts2-application-for-ajax-requestsbutI > wonder if there is any better way for that? (I think this is a very > common issue which must have been managed in struts) > > > ~Regards, > ~~Alireza Fattahi >
