tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: CsrfPreventionFilter - LRU cache
Date Fri, 04 Nov 2011 19:23:47 GMT
On 04/11/2011 13:14, Pete Gould wrote:
> Hi,
> I have recently been using
> the org.apache.catalina.filters.CsrfPreventionFilter, and I notice that the
> documentation for setNonceCacheSize states:
> "Sets the number of previously issued nonces that will be cached on a
> LRU basis to support parallel requests..."
> However, looking at the implementation of the cache, it appears to be a
> FIFO implementation rather than a LRU cache. I'm happy to raise a bug and
> supply a patch for whichever is the desired implementation, but need to
> determine what the original intention is first - based on the Javadoc it
> would suggest that the intention is for the cache to be LRU, could anyone
> here confirm that?

I wrote the initial implementation of the CsrfPreventionFilter and I
honestly can't remember whether I actually intended to implement FIFO or
LRU. It isn't beyond the realm of possibility that I started with one
and changed my mind. That said, looking at the svn history for that file
there aren't any obvious suggestions of a change of mind.

> Either cache implementation will work for the majority of cases, however I
> came across this issue when issuing Ajax requests which repeatedly use the
> same nonce string and after 5 requests the value I'm using is ejected from
> the (FIFO) cache, changing the cache to LRU fixes this (although could
> potentially result in the same token being used for N requests).

I think the thing to do here is to work out what the 'best' solution is
and fix the docs/code accordingly. I think LRU is the way to go in which
case the current code needs fixing.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message