Posted by byersa on Mar 06, 2009; 5:09pm
URL: http://ofbiz.116.s1.nabble.com/Cross-Site-Request-Forging-XSRF-tp197647p197652.html

David,

I am just thinking out loud here, but if there were no AJAX calls, then your
original approach would work and if there were only AJAX calls then, as I
described, all the requests could be run thru a common xhr object and it
could handle the tokens. So what if we used a dual random token approach -
using some method to identify which type of token on is ( a range, a prefix,
etc.).

-Al