[pLog-svn] Anti CSRF solution
Mark Wu
markplace at gmail.com
Fri Nov 23 09:22:26 EST 2007
Ahmad:
Do you see what CSRFx does? It is a easy way, especially when Lifetype use
front controller to dispatch the request to the action.
We can apply the same skill(concept) to prevent CSRF without modify the
current code ...
The best is we don't need to modify the action file one by one.
So, what do you mean "Why don't you keep it simple as you can ? "?
If you can provide a easy and simple way to prevent CSRF, I really like to
see it.
Mark
_____
From: plog-svn-bounces at devel.lifetype.net
[mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Ahmad Saleh
Sent: Friday, November 23, 2007 8:13 PM
To: LifeType Developer List
Subject: Re: [pLog-svn] Anti CSRF solution
Hi All
Why don't you keep it simple as you can ?
definitely, there is no full solution for CSRF issue, but you can decrease
it's occurrence time by sending a csrf key on each request.
Regards,
Ahmad
On Nov 23, 2007 1:58 PM, Mark Wu <markplace at gmail.com> wrote:
I don't think use db is a good idea ...
We need use file base solution to avoid db access..
Mark
> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Reto Hugi
> Sent: Friday, November 23, 2007 6:58 PM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] Anti CSRF solution
>
> Mark Wu wrote:
> > I know we discussion this issue before, but seems there is
> no soluton
> > for this.
> >
> > This come the code from google code, maybe we can borrow
> the idea from
> > this tool
> >
> > http://code.google.com/p/csrfx/
> >
>
> oh well, I added exactly that link to bugs.lt.net a couple of
> minutes ago.... :)
>
> I think we can use is to build our methods in the validation
> classes, and validate the token on a per action basis. It's
> more efficient than simulating some sort of pseudo security
> layer on top LTs business logic.
> IMO that layer should be handled by mod_security, .htaccess
> files and security appliances.
>
> BTW: Do we need an additional table to implement this? I
> thought it's ok to use the users session....
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
<http://limedaley.com/mailman/listinfo/plog-svn>
_______________________________________________
pLog-svn mailing list
pLog-svn at devel.lifetype.net
http://limedaley.com/mailman/listinfo/plog-svn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://limedaley.com/pipermail/plog-svn/attachments/20071123/3f63e40b/attachment.htm
More information about the pLog-svn
mailing list