vaadin中每个请求的csrf令牌

vaadin中每个请求的csrf令牌

本文介绍了vaadin中每个请求的csrf令牌的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我是vaadin的新手,我想实现一个csrf令牌保护,我发现vaadin已经在请求中注入了csrf令牌,但问题是csrf令牌在每个请求中都是相同的,是vaadin中的任何配置吗?在每个请求中生成新令牌?还是在创建新会话时强制vaadin重新生成csrf令牌?

I'm new to vaadin and I want to implement a csrf token protection , I found that vaadin already inject csrf token in requests but the problem is that the csrf token is the same in each request , is their any configuration in vaadin to generate new token in each request? or is their any way to force vaadin to regenerate a csrf token when new session is created?

我使用以下代码解决了会话固定漏洞,但问题是csrf令牌与先前的会话令牌保持相同;因为reinitializeSession方法使用新的jsessionID创建具有相同内容的新会话

I used the following code to solve session fixation vulnerability but the problem is the csrf token remain the same of the previous session token; because the reinitializeSession method creates a new session with the same contents with new jsessionID

VaadinService.reinitializeSession()


推荐答案

当前有一个拉动请求正在打开,以添加这种功能:。

There's current a pull request open for adding that kind of functionality: https://github.com/vaadin/framework/pull/10953.

这篇关于vaadin中每个请求的csrf令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-12 09:52