AntiCSRF Tokens - JSP Tags

[GoogleCodeExporter]

This is a set of Java files and a TLD for generating secure random numbers for 
Anti-CSRF JSP Tags.

<csrftoken>  adds a hidden input into a form field, generating a new Anti-CSRF 
token for the session if it exists or else creating a new one

<csrfcheck> checks to see if the Anti-CSRF token submitted matches the one in 
the session. A mismatch causes a new CSRFTokenException to be thrown.

Original issue reported on code.google.com by rkli...@gmail.com on 31 Oct 2010 at 2:03

Attachments:

• AntiCSRFTokenTag.java
• AntiCSRFTokenTagCheck.java
• CSRFTokenException.java
• CSRFTokenUtil.java
• anti_csrf.tld

[GoogleCodeExporter]

Original comment by manico.james@gmail.com on 1 Nov 2010 at 4:27

• Added labels: CSRF

[GoogleCodeExporter]

Original comment by manico.james@gmail.com on 1 Nov 2010 at 12:52

• Changed state: Accepted
• Added labels: Milestone-Release2.1

[GoogleCodeExporter]

how will the jsp calling the above tools be like.
I am a little confused with when should i set the csrf token in the request 
paremeter. Should that be onsubmit?

Original comment by brijesh....@gmail.com on 6 Jul 2011 at 8:10

[GoogleCodeExporter]

Hi,

As per the above mentioned mechanism, we are adding a secret token as a hidden 
field in JSP and hence it's passed in the request. 

As we are passing is it in a jsp as a hidden field the attacker would be able 
to find the value of the secret token and could add the same in his malicious 
request also. On such a scenario, we would not be able to differentiate the 
malicious and intended request rite?

Apologies if my understanding is wrong! and requesting you to explain briefly 
in i have understood wrongly.

Thanks!

Original comment by robinspe...@gmail.com on 7 Jun 2013 at 6:10