CSRFGuard-请求令牌与会话令牌不匹配 [英] CSRFGuard - request token does not match session token

问题描述

我正在尝试合并CSRFGuard库，以纠正应用程序中的某些CSRF漏洞。但是，在按指定配置此处后，当我在日志中收到以下消息时，导航应用程序：

I am trying to incorporate the CSRFGuard library in order to rectify some CSRF vulnerabilties in an application. However after configuring as specified here I am now getting the below messages in the log, when I navigate the application:

WARNING: potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:169.xx.x.xxx, uri:/myapp/MyAction, error:request token does not match session token)

通过包括以下内容：

<script src="/sui/JavaScriptServlet"></script>

在我的 main.jsp 页面上都已包含 CSRFGuard 令牌构建，例如

On my main.jsp page the links have all been built incorporating the CSRFGuard token, e.g.

......./myapp/MyAction?CSRFTOKEN=BNY8-3H84-6SRR-RJXM-KMCH-KLLD-1W45-M18N

所以我无法理解我做错了什么可能导致链接到传递期望值以外的令牌。

So I am unable to understand what I'm doing wrong that could cause the links to pass a token other than the expected value.

请让我知道是否有任何其他信息可以使您更容易理解。

Please let me know if any additional information would make it easier to understand.

推荐答案

如果有人偶然发现了类似的问题：

In case anyone stumbles across a similar issue:

结果是，使用IE访问应用并没有将令牌传递给AJAX调用，反过来导致令牌被刷新，但是已经呈现的页面中的链接仍然保留，从而在单击时导致不匹配。

Turned out that accessing the app using IE wasn't passing a token to an AJAX call, this would in turn result in the tokens being refreshed but the links in the already rendered page remained, causing the mismatch when clicked.

通过从源代码构建CSRFGuard自己发现了问题，添加额外的日志记录。

Found out the issue by building CSRFGuard myself from source and adding extra logging.

这篇关于CSRFGuard-请求令牌与会话令牌不匹配的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！