Browsers Back button Issues with CSRF Prevention Mechanisam

Question

I tried using OWASAP mechanism to protect my legacy application form CSRF, but i got issues with navigation and back button. I then tried using struts-1 token mechanism but faced the same issue. The problem i think with token injection mechanism is initially we will generate a token in jsp and store it in session and perform some action.

Consider A.jsp. lets take token value 1 in the jsp and we will store the same in the session. Now we will validate it in the filter/Action class. After that we will do some other operation in B.jsp and we will have token new value 2 in the jsp and in session.After validation form server we will be having value 2 in session. Now if we navigate using browsers back button and move to page 1 and submit it, it will load the values from cache and the A.jsp will have the value 1 as token, After submitting A.jsp at this point it will show CSRF error as it contradicts the value in session.

Is there a way to implement the CSRF prevention mechanism without actually disturbing the application?

Answer 1

So if I understand your problem correctly, pressing back button you get page from cache with old token? If I'm correct, then there is an easy way how to solve this problem - do not cache your pages, and load them from server all the time.

It can be achieved by setting following response headers

Cache-Control: max-age=0, no-cache, must-revalidate

Other, more difficult way, is to implement single page application, in that case you'll always have actual token in browser memory.