[pLog-svn] Anti CSRF solution

Reto Hugi plog at hugi.to
Fri Nov 23 05:58:15 EST 2007

Mark Wu wrote:
> I know we discussion this issue before, but seems there is no soluton 
> for this.
> This come the code from google code, maybe we can borrow the idea from 
> this tool
> http://code.google.com/p/csrfx/

oh well, I added exactly that link to bugs.lt.net a couple of minutes 
ago.... :)

I think we can use is to build our methods in the validation classes, 
and validate the token on a per action basis. It's more efficient than 
simulating some sort of pseudo security layer on top LTs business logic. 
IMO that layer should be handled by mod_security, .htaccess files and 
security appliances.

BTW: Do we need an additional table to implement this? I thought it's ok 
to use the users session....

More information about the pLog-svn mailing list