Posted by
David E Jones-3 on
Mar 06, 2009; 5:58am
URL: http://ofbiz.116.s1.nabble.com/Cross-Site-Request-Forging-XSRF-tp197647p197651.html
Yes, AJAX calls are an interesting point... If AJAX requests used the
random token even a single call would reset the token and break
things. If they did not use the random token they are a gaping
security hole.
I don't think we're going to do the random token thing, unless someone
sponsors and contributes it and by default it is turned off. If we do
the AJAX stuff will be an issue... and I can't think of a good
solution. The thought crossed my mind of using a stateless pattern and
have them not use the session (OFBiz services work this way by default
anyway), but then the browser would have to pass auth credentials with
each request, and the browser wouldn't generally know them.
Allowing X previous tokens to work opens a larger vulnerability window
when AJAX isn't used, and for long-lived pages there could be hundreds
of AJAX requests for a single page before the user clicks on a link to
go to another page.
Anyway, yes that is a conundrum.
-David
On Mar 5, 2009, at 4:02 PM, Al Byers wrote:
> David,
>
> I am trying to think of the effect this will have as applications
> have more
> and more AJAX calls. It seems like it would come down to
> implementing a
> central object for processing such requests and the developer would
> not need
> to worry about it, but then a mix of page requests and ajax calls
> would be a
> problem. I guess it would just mean that every page that is loaded
> would
> update the central ajax processing object with its token.
>
> But then, a lot of times, there are asynchronous ajax requests going
> on that
> would make it impossible to keep a single token going. But,
> generally, you
> would only have one secure ajax request active at a time. Did you
> say this
> would only be for secure requests? Maybe allowing a rolling list of
> the last
> x tokens would help in the ajax environment when you want to allow
> concurrent secure requests. Varying the size of "x" would make the
> system
> more or less secure, right?
>
> In short, with more and more apps trying to emulate a desktop
> environment,
> this will be more of a problem, but on the other hand, such a client-
> side
> framework could take care of most of the work in making this happen.
>
> -Al