[pLog-svn] Anti CSRF solution
ahmadfds at gmail.com
Fri Nov 23 11:46:27 EST 2007
I think you cannot solve CSRF Issue by just checking on the request url, I
know, it's a part of solution but not a solution, cause there is no special
characters added to url to specify if it's a csrf attack or not. and also in
LifeType you can send parameter by any request method (GET/POST)
And the easy way which I talked about is by generate a key on each request
and save it in a session (list/queue), send it to view (add it to urls
"?csrfCode=KKHEIKSI883KF83", or but it in a hidden field in the form).
then check if the csrf code valid in the session list, if so, perform the
process and remove the csrf key from the session and generate another one.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the pLog-svn