we are doing XSRF fixes for our code. we are using the session token to开发者_运维知识库 request token comparison method to achieve this. in case when session token is not equal to request token we will be redirecting to error page.
Problem:Once we are in Main Menu page, if the user "refresh" the page, it is throwing XSRF issue. Reason: As there wont be any request token(when we do a page refresh). since request token is NULL and it is not equal to session token it was throwing XSRF error.
The users of the application are not very happy with this approach. so is there any way to enable page refresh? or is it absolutely necessary/important to disable the page refresh(for security)?
Thanks in advance.
We use refresh in our page and I don't see any security issues. The request token is part of the URL. When the page is refreshed, the request token is still in the URL.
How are you sending the request token?
精彩评论