{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 一夜七次 的问题《HOWTO do CSRF protection in Struts2 application fo》','https://www.manongdao.com/q-1265682.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a struts2 webapp in which I need to implement CSRF protection. For statis forms it is pretty straight forward. I just need to activate the tokenSession interceptor & then set <s:token/> in the form to be submitted. (explained here and here)
But the problem appears when I need to enable CSRF protection for POST AJAX calls (I am using jQuery) which are not necessarily submitted via forms. I face the issue of re-using token when making subsequent AJAX calls.
Any pointers or different approaches are appreciated.
Currently I have resolved the issue by generating tokens for AJAX requests and sending it with the normal response like so -
I will abstract out a util method out of this & have the Actions that are token-activated to return this as part of response for actions which will be executed repeatedly without refresh of the page.
I am still looking for an elegant solution to this though.
Can't you generate a Token and use it as parameter in the ajax call ?
For the subsequent AJAX calls, you can use a
per-user Token,not necessarily a
per-request Token,as explained in this SO answer: Do I need a CSRF token for jQuery .ajax()?