[pLog-svn] Anti CSRF solution
Reto Hugi
plog at hugi.to
Fri Nov 23 05:58:15 EST 2007
Mark Wu wrote:
> I know we discussion this issue before, but seems there is no soluton
> for this.
>
> This come the code from google code, maybe we can borrow the idea from
> this tool
>
> http://code.google.com/p/csrfx/
>
oh well, I added exactly that link to bugs.lt.net a couple of minutes
ago.... :)
I think we can use is to build our methods in the validation classes,
and validate the token on a per action basis. It's more efficient than
simulating some sort of pseudo security layer on top LTs business logic.
IMO that layer should be handled by mod_security, .htaccess files and
security appliances.
BTW: Do we need an additional table to implement this? I thought it's ok
to use the users session....
More information about the pLog-svn
mailing list