wicket-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shayy <sha...@gmail.com>
Subject Implementing a SecureForm to avoid CSRF attacks
Date Tue, 10 Jun 2014 15:04:55 GMT
I'm trying to implement a SecureForm (extends Form) which dynamically adds a
hidden field to prevent CSRF attacks as described here:
http://apache-wicket.1842946.n4.nabble.com/Security-Features-offered-by-Wicket-td1861659.html

My problem is that my form contains a panel with tabs, each tab refreshes
the Form class through ajax but the HTML stays the same.
The result is that when I try to enter the first tab, click on the second
tab and try to post it I'm getting invalid tockens since the second tab HTML
has the first token but it's Form class already instantiated a new CSRF
token.

Anyone have an idea how i can replace the injected HTML from the
onComponentTagBody.
I'd like to try and use this approach (token field in the SecureForm class)
instead of just putting the token inside the session.

Thanks

--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/Implementing-a-SecureForm-to-avoid-CSRF-attacks-tp4666175.html
Sent from the Users forum mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org


Mime
View raw message