问题描述
我是vaadin的新手,我想实现一个csrf令牌保护,我发现vaadin已经在请求中注入了csrf令牌,但问题是csrf令牌在每个请求中都是相同的,是vaadin中的任何配置吗?在每个请求中生成新令牌?还是在创建新会话时强制vaadin重新生成csrf令牌?
I'm new to vaadin and I want to implement a csrf token protection , I found that vaadin already inject csrf token in requests but the problem is that the csrf token is the same in each request , is their any configuration in vaadin to generate new token in each request? or is their any way to force vaadin to regenerate a csrf token when new session is created?
我使用以下代码解决了会话固定漏洞,但问题是csrf令牌与先前的会话令牌保持相同;因为reinitializeSession方法使用新的jsessionID创建具有相同内容的新会话
I used the following code to solve session fixation vulnerability but the problem is the csrf token remain the same of the previous session token; because the reinitializeSession method creates a new session with the same contents with new jsessionID
VaadinService.reinitializeSession()
推荐答案
当前有一个拉动请求正在打开,以添加这种功能:。
There's current a pull request open for adding that kind of functionality: https://github.com/vaadin/framework/pull/10953.
这篇关于vaadin中每个请求的csrf令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!