You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello, I have implemented this library in a Spring (4.0.1) project, and it's working properly until the user logs in, when the javascript injects an empty string as the token. If I refresh the page or logout it loads another token (here are some screenshots). I've tested with different settings but still the same, any idea what I can look into?
This is the configuration currently used:
************************************************************
* OWASP CSRFGuard properties
* Actions:
* org.owasp.csrfguard.action.Redirect
* Parameter: Page = /{ProjectName}/error.html
* org.owasp.csrfguard.action.Log
* Parameter: Message = Potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
* org.owasp.csrfguard.action.Rotate
* Ajax: true
* Banned User Agent Properties:
* msie
* trident
* Enabled: true
* Force Synchronous Ajax: false
* Is Javascript Inject Into Dynamically Created Nodes: false
* Javascript Domain Strict: false
* Javascript Inject Form Attributes: false
* Javascript Inject Get Forms: false
* Javascript Inject Into Attributes: false
* Javascript Inject Into Forms: false
* Javascript Params Initialized: false
* Javascript Referer Match Domain: false
* Javascript Referer Match Protocol: false
* Logical Session Extractor: org.owasp.csrfguard.session.SessionTokenKeyExtractor
* Page Token Synchronization Tolerance: 2000 ms
* Print Config: true
* Prng: java.security.SecureRandom(algorithm: SHA1PRNG, provider: SUN version 1.8)
* Protect: false
* Protected Methods:
* DELETE
* POST
* GET
* PUT
* Rotate: false
* Token Holder: org.owasp.csrfguard.token.storage.impl.InMemoryTokenHolder
* Token Length: 32
* Token Name: OWASP-CSRFTOKEN
* Token Per Page: false
* Token Per Page Precreate: false
* Unprotected Pages:
* *.png
* *.ttf
* *.gif
* *.svg
* *.css
* *.html
* *.jpg
* *.js
* Use New Token Landing Page: false
* Validation When No Session Exists: true
************************************************************
Thanks.
The text was updated successfully, but these errors were encountered:
Hello, I have implemented this library in a Spring (4.0.1) project, and it's working properly until the user logs in, when the javascript injects an empty string as the token. If I refresh the page or logout it loads another token (here are some screenshots). I've tested with different settings but still the same, any idea what I can look into?
This is the configuration currently used:
Thanks.
The text was updated successfully, but these errors were encountered: