[jetty-users] Is there any CSRF protection/filters in jetty ?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[jetty-users] Is there any CSRF protection/filters in jetty ?

Amaltas


_______________________________________________
jetty-users mailing list
[hidden email]
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-users] Is there any CSRF protection/filters in jetty ?

Jan Bartel-3
Amaltas,

See https://bugs.eclipse.org/bugs/show_bug.cgi?id=370385.

In the meanwhile, you can disable putting session ids in links by
calling SessionManager.setSessionIdPathParameterName(null);

Or alternatively, invalidate and recreate a new session, copying
across attributes in a filter/servlet/jsp etc.

regards
Jan

On 2 February 2012 10:17, Amaltas <[hidden email]> wrote:
>
>
> _______________________________________________
> jetty-users mailing list
> [hidden email]
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
_______________________________________________
jetty-users mailing list
[hidden email]
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-users] Is there any CSRF protection/filters in jetty ?

Jan Bartel-3
Amaltas,

I don't know what I was talking about, jetty does implement CSRF
protection, and it is in fact enabled by default!

See comments I updated on the issue:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=370385

Jan

On 2 February 2012 12:47, Jan Bartel <[hidden email]> wrote:

> Amaltas,
>
> See https://bugs.eclipse.org/bugs/show_bug.cgi?id=370385.
>
> In the meanwhile, you can disable putting session ids in links by
> calling SessionManager.setSessionIdPathParameterName(null);
>
> Or alternatively, invalidate and recreate a new session, copying
> across attributes in a filter/servlet/jsp etc.
>
> regards
> Jan
>
> On 2 February 2012 10:17, Amaltas <[hidden email]> wrote:
>>
>>
>> _______________________________________________
>> jetty-users mailing list
>> [hidden email]
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>
_______________________________________________
jetty-users mailing list
[hidden email]
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-users] Is there any CSRF protection/filters in jetty ?

Amaltas
Hi Jan,
Thanks for letting us know. I will explore this and see if it meets my requirements.

On Sun, Feb 5, 2012 at 10:56 PM, Jan Bartel <[hidden email]> wrote:
Amaltas,

I don't know what I was talking about, jetty does implement CSRF
protection, and it is in fact enabled by default!

See comments I updated on the issue:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=370385

Jan

On 2 February 2012 12:47, Jan Bartel <[hidden email]> wrote:
> Amaltas,
>
> See https://bugs.eclipse.org/bugs/show_bug.cgi?id=370385.
>
> In the meanwhile, you can disable putting session ids in links by
> calling SessionManager.setSessionIdPathParameterName(null);
>
> Or alternatively, invalidate and recreate a new session, copying
> across attributes in a filter/servlet/jsp etc.
>
> regards
> Jan
>
> On 2 February 2012 10:17, Amaltas <[hidden email]> wrote:
>>
>>
>> _______________________________________________
>> jetty-users mailing list
>> [hidden email]
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>
_______________________________________________
jetty-users mailing list
[hidden email]
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
https://dev.eclipse.org/mailman/listinfo/jetty-users