struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: Prevent Ajax Multi-Request in Struts 2
Date Tue, 08 Oct 2013 05:27:06 GMT
Sorry, I just read your mail again, and realice you are not asking specifically for csrf protection(the
link you provided is about that, but not your mail), but just how to avoid multirequest, so
maybe my answer is not usefull at all.

Sent via BlackBerry from T-Mobile

-----Original Message-----
Date: Tue, 8 Oct 2013 05:23:05 
To: Struts Users Mailing List<>; Alireza Fattahi<>
Subject: Re: Prevent Ajax Multi-Request in Struts 2

What are you using on the client for the ajax calls? Dojo? Jquery? They both generate an http
header “x-requested-with” with value “XMLHTTPrequest”. A normal post can not add http
headers, so checking for that header allows you to be sure the request was made using XHR.
Since XHR cannot work cross-domain, if the header is present, you can be sure it is not a
CSRF. Obviously, this does not work if you are susceptible of code injection.

If you are using plain xhr (no javascript framework) you can add the header yourself. Take
a look at how dojo does it.


Sent via BlackBerry from T-Mobile

-----Original Message-----
From: Alireza Fattahi <>
Date: Mon, 7 Oct 2013 22:01:47 
To: Struts Users Mailing List<>
Reply-To: "Struts Users Mailing List" <>
Subject: Re: Prevent Ajax Multi-Request in Struts 2

I am still in the middel of this problem :(
Can you please let me know what do you mean by "check HTTP header" ?!

~~Alireza Fattahi

To: Struts Users Mailing List <>; Alireza Fattahi <>

Sent: Thursday, 26 September 2013, 16:13
Subject: Re: Prevent Ajax Multi-Request in Struts 2

  Since XHR request can not be cross-domain, you can not get a CSRF through
XHR( the browser will not allow other page to send a XHR to your server).
The only option would be a normal post against your supposed-ajax URL. In
order to protect against it, we check for an HTTP header that is sent on
any ajax request by our javascript framework (Dojo). A normal form can not
be manipulate to add that header, so if the request is suppose to be ajax,
and it does not have the header, you can reject it, because it is a CSRF



2013/9/25 Alireza Fattahi <>

> Hi,
> We want to avoid multi-request sent via Ajax in struts 2 web based
> application.
> The `s:token` can be used in regular request-response jsp pages, but it
> will not work for ajax requests. The problem is the returned respond, which
> does not populate new value for struts token.
> I found this issue at
wonder if there is any better way for that? (I think this is a very
> common issue which must have been managed in struts)
> ~Regards,
> ~~Alireza Fattahi
View raw message