-
Jan 26th, 2013, 12:05 PM
#1
How flowExecutionKey generated in Spring webflow 1.0 and spring web flow 2.0 ?
How flowExecutionKey generated in Spring webflow 1.0 and spring web flow 2.0 ? ,
Is it possible to modify executionKey to make it more robust ?
Please provide in detail example.
Thanks.
-
Jan 26th, 2013, 01:00 PM
#2
What is wrong with the current strategy, why wouldn't it be robust enough? Used it on high traffic websites without any problems...
-
Jan 26th, 2013, 01:34 PM
#3
I m moving from Spring web flow 1 to spring web flow 2. When i used webflow 1.0 the generated flow key was common for all states like "_flowExecutionKey=_cB991AE60-9F1A-C5D0-F745-0D817F5C0D39_k9364BE07-2413-78A7-3F6F-F0B8F226A40F" but while using the new version the executionkey generated is looks like e1s1 and changes for every state in the flow.
I want to maintain a unique flowId through out my web flow to be unique like it used to be in spring web flow 1.0. Could you please let me know how can this be possible.
please suggest any solution for this. This long length key help to prevent CSRF kind attacks
-
Jan 27th, 2013, 10:59 AM
#4
The key is as safe as the one from webflow 1... THe flow execution key for webflow 1 also changes the part after _k is dynamic... The _k is comparable with the s part to determine the state to restore...
Also if you rely on long keys to prevent CSRF attacks you should really implement real CSRF attack protection, security through obscurity (long keys) isn't very secure...
-
Jan 27th, 2013, 11:24 AM
#5
Hi,
Thanks for your reply!
Can you please help to implement real CSRF protection to web flow application, please suggest how do i implement it,
If you have any sample example, so that I can try to implement in my swf2.0 application ..
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
Junior Member
Reply With Quote