You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using the Token-per-page option with AJAX and without token pre-creation (no protected pages are being configured), the solution validates the request with the master token, then generates a new page token on first access of new pages/endpoints, but does not send back the the value to the UI. This behavior leads to false positive CSRF attack attempts and makes the application unusable.
Proposed solution:
Send back the newly generated page token in the response of the request. The JavaScript logic should intercept all XHR requests, look for the specific header and should update the token value associated to the specific page/endpoint if present.
The text was updated successfully, but these errors were encountered:
When using the Token-per-page option with AJAX and without token pre-creation (no protected pages are being configured), the solution validates the request with the master token, then generates a new page token on first access of new pages/endpoints, but does not send back the the value to the UI. This behavior leads to false positive CSRF attack attempts and makes the application unusable.
Proposed solution:
Send back the newly generated page token in the response of the request. The JavaScript logic should intercept all XHR requests, look for the specific header and should update the token value associated to the specific page/endpoint if present.
The text was updated successfully, but these errors were encountered: