[WEB SECURITY] CSRF remedies in

Steve Pinkham steve.pinkham at gmail.com
Wed Jan 14 19:43:09 EST 2009

Eric Rachner wrote:
> As most of us know, ASP.NET <http://ASP.NET> provides the 
> ViewStateUserKey 
> <http://msdn.microsoft.com/en-us/library/system.web.ui.page.viewstateuserkey.aspx> 
> feature to mitigate CSRF attacks.  But as a primarily Microsoft-oriented 
> guy, I'm not personally aware of any equivalent solutions for use in 
> other environments, J2EE in particular, except of course for CSRFGuard 
> <http://www.owasp.org/index.php/CSRF_Guard>.
> Does anyone happen to know whether any web app development platforms 
> other than .NET provide CSRF mitigations like ViewStateUserKey?
> Much obliged,
> - Eric
Rails 2.0 and later provides the protect_from_forgery option, which is 
on by default and helps defend against CSRF in a similar manner.
In Javaland, Wicket added defense in version 1.3.5.
There's probably more, but those are the ones I care about at the moment...

  | Steven E. Pinkham                      |
  | GPG public key ID CD31CAFB             |

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list