The "TokenPerPage" approach is not applied to AJAX #123
Comments
|
In a single page application, how can we differentiate between pages? For SPA we could configure CSRFGuard to use per request token... Something like, the CSRFGuard can generate new token every time it validates a CSRFToken, if token is valid, it can set new token in response header which the SPA can use for further request. |
|
REST endpoints for example are also considered pages. The solution returns unique tokens for each, but the JS logic does not assign them to XHR requests. Extending this logic to cater for AJAX requests as well could solve the problem. A single-use-token approach could also be followed, but it would require a bigger refactoring as it would affect the |
|
Fixed in the new code-base. The new release candidate version can be found under releases on the official repository. |
The current logic generates and returns new, unique tokens for every accessed URI lazily, but they are only injected into
formsorsrcandhrefattributes by theinjectTokensmethod. This way a large SPA application using exclusively XHR requests would only make use of one single (session) token.The text was updated successfully, but these errors were encountered: