[pLog-svn] Anti CSRF solution
Ahmad Saleh
ahmadfds at gmail.com
Fri Nov 23 13:12:55 EST 2007
Hi Mark
Are you really see the url I attached in this thread???
>
Yes, I saw the group, and also I saw a part of code, I take a general look
(sorry) :P
>
> It is the way as you describe but more general.
>
> So, I really have no idea why you said the way is wrong.
>
I didn't say it's wrong .
>
> Mark
>
> ------------------------------
> *From:* plog-svn-bounces at devel.lifetype.net [mailto:
> plog-svn-bounces at devel.lifetype.net] *On Behalf Of *Ahmad Saleh
> *Sent:* Saturday, November 24, 2007 12:46 AM
> *To:* LifeType Developer List
> *Subject:* Re: [pLog-svn] Anti CSRF solution
>
> Hi Mark
>
> I think you cannot solve CSRF Issue by just checking on the request url, I
> know, it's a part of solution but not a solution, cause there is no special
> characters added to url to specify if it's a csrf attack or not. and also in
> LifeType you can send parameter by any request method (GET/POST)
>
> And the easy way which I talked about is by generate a key on each request
> and save it in a session (list/queue), send it to view (add it to urls
> "?csrfCode=KKHEIKSI883KF83", or but it in a hidden field in the form).
>
> then check if the csrf code valid in the session list, if so, perform the
> process and remove the csrf key from the session and generate another one.
>
>
> Regards,
> Ahmad
>
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://limedaley.com/pipermail/plog-svn/attachments/20071123/3e1d15f0/attachment.htm
More information about the pLog-svn
mailing list