Just wondering if anyone has ever addressed this in the non-Wonder WOLips framework?

Leigh Kivenko | VP, Technology
PortfolioAid
t. 416-479-0523 | e. ***@portfolioaid.com<mailto:***@portfolioaid.com>

This e-mail may be privileged and confidential. If you received this e-mail in error, please do not use, copy or distribute it, but advise me immediately (by return e-mail or otherwise), and delete the e-mail.

From: Webobjects-dev [mailto:webobjects-dev-bounces+dev=***@lists.apple.com] On Behalf Of Kai Lochbaum
Sent: Thursday, December 06, 2018 10:07 AM
To: GILQUIN Pierre <***@hcuge.ch>
Cc: Webobjects-***@lists.apple.com
Subject: Re: Ajax and CSRF vulnerability


Hi Pierre,



there is a global AjaxOptions.defaultOptions function which is used in all Wonder Ajax-Requests where you can hookup such things via JavaScript.



We also use it to send a CSRF token as requestHeader:



if (AjaxOptions && typeof AjaxOptions.defaultOptions === 'function' && csrftoken) {

var originalFn = AjaxOptions.defaultOptions;

AjaxOptions.defaultOptions = function(additionalOptions) {

Object.extend(additionalOptions, { 'requestHeaders': { csrftoken: csrftoken }});

return originalFn(additionalOptions);

}

}





Then you just need to add some JS to get the csrftoken variable from your hidden field and add that JavaScript code after the wonder.js script tag.

For validation you obviously have to check the header in this implementation.





Cheers,

Kai Lochbaum
--
salient GmbH, Lindleystraße 12, 60314 Frankfurt

Telefon Zentrale: 069 / 65 00 96 - 0 | http://www.salient-doremus.de <http://www.salient-doremus.de/>



Am 06.12.18, 15:57 schrieb "GILQUIN Pierre" <***@hcuge.ch<mailto:***@hcuge.ch>>:



Hi,



1) I used a hidden field wosid for prevent CSRF vulnerability for a standard WOnder application (<input type="hidden" name="wosid" value="wIrACwBfmFeiVyNcVMFkow"> ) .

I just compare this hidden field with the real sessionID.



Now, I want to used the same protection in some ajaxified components. Problem : by default, the http post is partial and wosid is not sent.

« fullSubmit = true » cannot be easily used in this app.



Is there a way to config/adapt the Ajax Wonder framework so that the wosid will be always be added to the partial formValues ?



2) This application must be deployed in a Tomcat environment. I have seen a cookie with the Tomcat session JSessionID.

Is there a way to access the Tomcat JSessionId in the WOnder app in order to compare it with the value in the cookie ?



Thanks for any help

Pierre



_______________________________________________

Do not post admin requests to the list. They will be ignored.

Webobjects-dev mailing list (Webobjects-***@lists.apple.com<mailto:Webobjects-***@lists.apple.com>)

Help/Unsubscribe/Update your Subscription:

https://lists.apple.com/mailman/options/webobjects-dev/lochbaum%40salient-doremus.de



This email sent to ***@salient-doremus.de<mailto:***@salient-doremus.de>