[pLog-svn] Anti CSRF solution

Reto Hugi plog at hugi.to
Tue Nov 27 05:51:28 EST 2007


hi mark

Mark Wu wrote:

> I think modification adminaction is easy, but you have to add  hidden input
> to all forms we want to protect, then that's not a fun job .. :P

yes I know. We've got quite a lot of forms to work through...


> Take the deleteComment for example, in lifetype we use "deleteComments" to
> delete multiplut comments at the same time, it is a http post request, and
> we also use "deleteComment" to delete  one comment in each time, and it is
> http "get" request.

ah, good point. That is the case on many requests. Maybe we should 
really think about what we can to in the requestgenerators...

Oh well, I'll think about it and surely be glad for help and feedback 
here and there. we'll see if I find an "easy" way to implement all that.

reto


More information about the pLog-svn mailing list