[pLog-svn] Anti CSRF solution
ahmadfds at gmail.com
Fri Nov 23 07:13:00 EST 2007
Why don't you keep it simple as you can ?
definitely, there is no full solution for CSRF issue, but you can decrease
it's occurrence time by sending a csrf key on each request.
On Nov 23, 2007 1:58 PM, Mark Wu <markplace at gmail.com> wrote:
> I don't think use db is a good idea ...
> We need use file base solution to avoid db access..
> > -----Original Message-----
> > From: plog-svn-bounces at devel.lifetype.net
> > [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Reto Hugi
> > Sent: Friday, November 23, 2007 6:58 PM
> > To: LifeType Developer List
> > Subject: Re: [pLog-svn] Anti CSRF solution
> > Mark Wu wrote:
> > > I know we discussion this issue before, but seems there is
> > no soluton
> > > for this.
> > >
> > > This come the code from google code, maybe we can borrow
> > the idea from
> > > this tool
> > >
> > > http://code.google.com/p/csrfx/
> > >
> > oh well, I added exactly that link to bugs.lt.net a couple of
> > minutes ago.... :)
> > I think we can use is to build our methods in the validation
> > classes, and validate the token on a per action basis. It's
> > more efficient than simulating some sort of pseudo security
> > layer on top LTs business logic.
> > IMO that layer should be handled by mod_security, .htaccess
> > files and security appliances.
> > BTW: Do we need an additional table to implement this? I
> > thought it's ok to use the users session....
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the pLog-svn