2011/4/13 Mathew Samuel <[email protected]>:
> Hi,
>
> There's an JSP example line given, with respect to using CSRF (Cross-site
> Request Forgery), that showed how one could access the CSRF nonce and include
> it with a URL:
>
> < c:url var="url" value="/show" > < c:param name="id" value="0" / > < c:param
> name="org.apache.catalina.filters.CSRF_NONCE"
> value="${session.org.apache.catalina.filters.CSRF_NONCE}" / >< /c:url >< a
> href="${show}">Show< /a >
1) ${session['org.apache.catalina.filters.CSRF_NONCE']}
2) The value of the above is some object (a cache) not a String.
It cannot be used as a <c:param> value.
3) c:url already takes care of the nonce,
because it calls HttpServletResponse.encodeURL(..)
(...)
>
> I've tried a few things and so far have been unsuccessful at retrieving this
> value. Any help would be appreciated.
If I login to the Tomcat Manager web application, a list of web
applications is displayed.
There click on the number in the "Sessions" column (for the manager
webapp). There will be a list of sessions.
Then click on the session id. There will be the "Session detail" page
for a session.
The "org.apache.catalina.filters.CSRF_NONCE" attribute does exist and
is shown on that page.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
