[pLog-svn] Anti CSRF solution
ahmadfds at gmail.com
Fri Nov 23 13:12:55 EST 2007
Are you really see the url I attached in this thread???
Yes, I saw the group, and also I saw a part of code, I take a general look
> It is the way as you describe but more general.
> So, I really have no idea why you said the way is wrong.
I didn't say it's wrong .
> *From:* plog-svn-bounces at devel.lifetype.net [mailto:
> plog-svn-bounces at devel.lifetype.net] *On Behalf Of *Ahmad Saleh
> *Sent:* Saturday, November 24, 2007 12:46 AM
> *To:* LifeType Developer List
> *Subject:* Re: [pLog-svn] Anti CSRF solution
> Hi Mark
> I think you cannot solve CSRF Issue by just checking on the request url, I
> know, it's a part of solution but not a solution, cause there is no special
> characters added to url to specify if it's a csrf attack or not. and also in
> LifeType you can send parameter by any request method (GET/POST)
> And the easy way which I talked about is by generate a key on each request
> and save it in a session (list/queue), send it to view (add it to urls
> "?csrfCode=KKHEIKSI883KF83", or but it in a hidden field in the form).
> then check if the csrf code valid in the session list, if so, perform the
> process and remove the csrf key from the session and generate another one.
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the pLog-svn