Can any one help how to generate csrf token for each request and how to validate it.
问题:
回答1:
In general you will have to getToken
from your form template to include a hidden input in the form, and then in the receiving Servlet ensure that you are getting a POST request and isValid
.
How you tie that up consistently across your app will depend on what framework code you're using. If by "Action Class" you're referring to Struts 2, then that framework already has its own TokenSessionInterceptor
mechanism for CSRF, which generally you would want to re-use.
Now requirement is for each request
If you mean that someone is asking for the CSRF token to be changed on every page load, you should fight that request because it is bogus.
"CSRF token isn't invalidated on every request" is a common filler-finding on pen test reports but fixing it will make your app much less usable. If your old token is invalidated on each new page then you won't be able to use different pages in two tabs simultaneously, or navigate back a page and then submit a form.
When you should be invalidating CSRF token (and issuing a new one) is at the same time you invalidate your session: on any privilege level change. Most obviously, when the user logs in successfully you should throw away the old session, and the old CSRF token inside it, and replaced them with new tokens to prevent session fixation attacks.
But going further than that sacrifices usability, for no gain in security.