Posted by byersa on Mar 05, 2009; 11:02pm
URL: http://ofbiz.116.s1.nabble.com/Cross-Site-Request-Forging-XSRF-tp197647p197650.html

David,

I am trying to think of the effect this will have as applications have more
and more AJAX calls. It seems like it would come down to implementing a
central object for processing such requests and the developer would not need
to worry about it, but then a mix of page requests and ajax calls would be a
problem. I guess it would just mean that every page that is loaded would
update the central ajax processing object with its token.

But then, a lot of times, there are asynchronous ajax requests going on that
would make it impossible to keep a single token going. But, generally, you
would only have one secure ajax request active at a time. Did you say this
would only be for secure requests? Maybe allowing a rolling list of the last
x tokens would help in the ajax environment when you want to allow
concurrent secure requests. Varying the size of "x" would make the system
more or less secure, right?

In short, with more and more apps trying to emulate a desktop environment,
this will be more of a problem, but on the other hand, such a client-side
framework could take care of most of the work in making this happen.

-Al