1

I am implementing tokens for csrf prevention, I am putting a value of csrf token in session attribute like this :

session.setAttribute("csrfToken", csrfToken);

My login page gets that attribute and submit that csrf token to servlet , My login.jsp looks like this :

  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib uri="http://jakarta.apache.org/struts/tags/struts-html" prefix="html" %>
<%@ taglib uri="http://devel.payo.org/tlibs/payo-core" prefix="payo" %>
<%@ page session="true" %>

<html:html>

***<input id="token" type="hidden" value="${sessionScope.csrfToken}" />***
<c:choose><c:when test="${not empty loggedUser}">
    <head>
        <meta http-equiv="refresh" content="0;URL=${pathPrefix}/home">
    </head>
</c:when><c:otherwise>

    <jsp:include page="/pages/general/layout/head.jsp" />
    <payo:customizedFilePath type="style" name="login.css" var="loginUrl" groupId="${empty loggedUserId ? cookie.groupId.value : ''}" groupFilterId="${empty loggedUserId ? cookie.groupFilterId.value : ''}" />    
    <link rel="stylesheet" href="<c:url value="${loginUrl}" />">    

    <jsp:include flush="true" page="/pages/access/includes/loginDefinitions.jsp" /> 

    <payo:includeCustomizedFile type="static" name="login.jsp" groupId="${empty loggedUserId ? cookie.groupId.value : ''}" groupFilterId="${empty loggedUserId ? cookie.groupFilterId.value : ''}" />   

    <script>
        if (!is.ie6) {
            var td = $('loginRegistration');
            var div = $('loginRegistrationDiv');
            if (td && div) {
                div.style.height = (td.getHeight() - 10) + "px";
            }
        }
        ensureLoginForm();
    </script>

</c:otherwise></c:choose>

</html:html>

The problem I am facing when I try to get the value of hidden input which contains the token from the session ,I am getting just null... I will be very thankful If someone can help.This is how I retrieve the value.

 String token = request.getParameter("token");
Talib
  • 1,204
  • 5
  • 26
  • 56
  • How are you calling this request ? since there is no name to this input, I guess this could be the problem – AxelH Nov 21 '16 at 15:06
  • but the input has "id="token", isn't it enough ? – Talib Nov 21 '16 at 15:07
  • Depends on what you used ... for example, in a `form` this is the name that's used to find the field. Here, I have no idea of what you used from what you explained – AxelH Nov 21 '16 at 15:09
  • I tried to get the value in the servlet like this , String token = request.getParameter("token"); – Talib Nov 21 '16 at 15:10
  • In which Servlet ? This one or in the one that will manage the request ? Did you even tried to check the input from the client ? In javascript ? `document.getElementById('token').value` ? – AxelH Nov 21 '16 at 15:13
  • This is duplicate question please refer [this link](http://stackoverflow.com/questions/17274775/session-getattribute-in-jsp-is-giving-null-value) – Yogesh W Nov 21 '16 at 15:21
  • @YogeshW I am doing the same way as in the answer. – Talib Nov 21 '16 at 16:01
  • @Talib, add the code where you set the value in the session. You did use the Session instance from the Request ? Without answers, I can't help ... – AxelH Nov 24 '16 at 12:47
  • How do you submit that csrf token to servlet? – Roman C Nov 24 '16 at 16:34
  • @RomanC isn't the value of the token input will be automatically submitted on the page submission ? – Talib Nov 25 '16 at 21:51
  • 1
    @Talib It depends on the answer of the previous comment. You said that `My login page gets that attribute and submit that csrf token to servlet`, but it's unclear how did you do that because there's no code that submits that csrf token to whatever servlet. – Roman C Nov 25 '16 at 21:57
  • @RomanC sorry for late reply ,I was out... the problem I think is not only in submission, because even when I try to access the value of the token in jsp it says null.... – Talib Nov 28 '16 at 07:01
  • If it's not in submission, then I'm out of ideas. – Roman C Nov 28 '16 at 13:24
  • please share your jsp and servlet code. – Sanjay Dec 01 '16 at 10:27
  • @RomanC you are right the hidden value in the form is not being submitted ,can you please suggest how can I make it to submit ? – Talib Dec 05 '16 at 09:38
  • @Talib Wrap your JSP input tags with ``. – Roman C Dec 05 '16 at 11:26

3 Answers3

0

To get 'token' parameter from request you have to give input element name as 'token'

<input name='token' .../>

request.getParamerer(string name) Method get parameter based on name attribute

hiren
  • 1,620
  • 11
  • 18
  • actually it looks like it was even null in the jsp as well, its basically getting the session attribute value as null at "" but I dont know why. – Talib Nov 22 '16 at 05:32
  • could you try `` instead of using EL – hiren Nov 22 '16 at 07:05
  • I tried this but still receiving null . /> – Talib Nov 22 '16 at 07:19
  • Then there must be problem with setting session attribute. Check the code to confirm if attribute is being set properly. – hiren Nov 22 '16 at 07:45
  • Yes, I had checked it after setting the token by : System.out.println(session.getAttribute("csrfToken")); and the value is correct. – Talib Nov 22 '16 at 07:51
  • Would you share the code to where you set the session attribute and also confirm that you are not getting session value before setting it? – hiren Nov 26 '16 at 06:51
-1

if you are creating new session using <%@ page session="true" %> then from where your token will come using ${sessionScope.csrfToken}.make session="false" and then try

Sanjay
  • 2,414
  • 1
  • 12
  • 27
  • before coming to login.jsp , you are creating one session and putting your token in session,now coming to login.jsp with same session but here you have created new session using so previously created session will be destroyed with all param and new session will created and your token is not in new session , so try after removing or make it false – Sanjay Nov 28 '16 at 07:20
  • Well, if `session` is set to `true` in this directive, it doesn't necessarily creates a new session if one already exists. – 31piy Nov 30 '16 at 07:51
-1

I suspect that the below line is making a new session while coming to this page, which is causing it be null.

<%@ page session="true" %>

Can you please make it <%@ page session="false" %> and then cross check. I strongly believe, it should work.

dildeepak
  • 1,251
  • 2
  • 16
  • 34