[pLog-svn] Anti CSRF solution
markplace at gmail.com
Fri Nov 23 06:58:22 EST 2007
I don't think use db is a good idea ...
We need use file base solution to avoid db access..
> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Reto Hugi
> Sent: Friday, November 23, 2007 6:58 PM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] Anti CSRF solution
> Mark Wu wrote:
> > I know we discussion this issue before, but seems there is
> no soluton
> > for this.
> > This come the code from google code, maybe we can borrow
> the idea from
> > this tool
> > http://code.google.com/p/csrfx/
> oh well, I added exactly that link to bugs.lt.net a couple of
> minutes ago.... :)
> I think we can use is to build our methods in the validation
> classes, and validate the token on a per action basis. It's
> more efficient than simulating some sort of pseudo security
> layer on top LTs business logic.
> IMO that layer should be handled by mod_security, .htaccess
> files and security appliances.
> BTW: Do we need an additional table to implement this? I
> thought it's ok to use the users session....
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
More information about the pLog-svn