[pLog-svn] Anti CSRF solution
Mark Wu
markplace at gmail.com
Fri Nov 23 12:11:03 EST 2007
Ahmad:
Are you really see the url I attached in this thread???
It is the way as you describe but more general.
So, I really have no idea why you said the way is wrong.
Mark
_____
From: plog-svn-bounces at devel.lifetype.net
[mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Ahmad Saleh
Sent: Saturday, November 24, 2007 12:46 AM
To: LifeType Developer List
Subject: Re: [pLog-svn] Anti CSRF solution
Hi Mark
I think you cannot solve CSRF Issue by just checking on the request url, I
know, it's a part of solution but not a solution, cause there is no special
characters added to url to specify if it's a csrf attack or not. and also in
LifeType you can send parameter by any request method (GET/POST)
And the easy way which I talked about is by generate a key on each request
and save it in a session (list/queue), send it to view (add it to urls
"?csrfCode=KKHEIKSI883KF83", or but it in a hidden field in the form).
then check if the csrf code valid in the session list, if so, perform the
process and remove the csrf key from the session and generate another one.
Regards,
Ahmad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://limedaley.com/pipermail/plog-svn/attachments/20071124/470e5f58/attachment.htm
More information about the pLog-svn
mailing list