Return-Path: X-Original-To: apmail-wicket-users-archive@minotaur.apache.org Delivered-To: apmail-wicket-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 31E1E11285 for ; Tue, 10 Jun 2014 15:06:02 +0000 (UTC) Received: (qmail 39060 invoked by uid 500); 10 Jun 2014 15:06:01 -0000 Delivered-To: apmail-wicket-users-archive@wicket.apache.org Received: (qmail 39013 invoked by uid 500); 10 Jun 2014 15:06:01 -0000 Mailing-List: contact users-help@wicket.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@wicket.apache.org Delivered-To: mailing list users@wicket.apache.org Received: (qmail 39003 invoked by uid 99); 10 Jun 2014 15:06:01 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Jun 2014 15:06:01 +0000 X-ASF-Spam-Status: No, hits=2.3 required=5.0 tests=SPF_SOFTFAIL,URI_HEX X-Spam-Check-By: apache.org Received-SPF: softfail (athena.apache.org: transitioning domain of shayke@gmail.com does not designate 216.139.250.139 as permitted sender) Received: from [216.139.250.139] (HELO joe.nabble.com) (216.139.250.139) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Jun 2014 15:05:56 +0000 Received: from [192.168.236.139] (helo=joe.nabble.com) by joe.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1WuNbq-0001Sk-Jv for users@wicket.apache.org; Tue, 10 Jun 2014 08:05:10 -0700 Date: Tue, 10 Jun 2014 08:04:55 -0700 (PDT) From: shayy To: users@wicket.apache.org Message-ID: <1402412695541-4666175.post@n4.nabble.com> Subject: Implementing a SecureForm to avoid CSRF attacks MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org I'm trying to implement a SecureForm (extends Form) which dynamically adds a hidden field to prevent CSRF attacks as described here: http://apache-wicket.1842946.n4.nabble.com/Security-Features-offered-by-Wicket-td1861659.html My problem is that my form contains a panel with tabs, each tab refreshes the Form class through ajax but the HTML stays the same. The result is that when I try to enter the first tab, click on the second tab and try to post it I'm getting invalid tockens since the second tab HTML has the first token but it's Form class already instantiated a new CSRF token. Anyone have an idea how i can replace the injected HTML from the onComponentTagBody. I'd like to try and use this approach (token field in the SecureForm class) instead of just putting the token inside the session. Thanks -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Implementing-a-SecureForm-to-avoid-CSRF-attacks-tp4666175.html Sent from the Users forum mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org For additional commands, e-mail: users-help@wicket.apache.org