vaadin中每个请求的csrf令牌 [英] csrf token per request in vaadin

问题描述

我是vaadin的新手，我想实现一个csrf令牌保护，我发现vaadin已经在请求中注入了csrf令牌，但问题是csrf令牌在每个请求中都是相同的，是vaadin中的任何配置吗？在每个请求中生成新令牌？还是在创建新会话时强制vaadin重新生成csrf令牌？

I'm new to vaadin and I want to implement a csrf token protection , I found that vaadin already inject csrf token in requests but the problem is that the csrf token is the same in each request , is their any configuration in vaadin to generate new token in each request? or is their any way to force vaadin to regenerate a csrf token when new session is created?

我使用以下代码解决了会话固定漏洞，但问题是csrf令牌与先前的会话令牌保持相同；因为reinitializeSession方法使用新的jsessionID创建具有相同内容的新会话

I used the following code to solve session fixation vulnerability but the problem is the csrf token remain the same of the previous session token; because the reinitializeSession method creates a new session with the same contents with new jsessionID

VaadinService.reinitializeSession()

推荐答案

当前有一个拉动请求正在打开，以添加这种功能： https://github.com/vaadin/framework/pull/10953 。

There's current a pull request open for adding that kind of functionality: https://github.com/vaadin/framework/pull/10953.

这篇关于vaadin中每个请求的csrf令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！