[pLog-svn] Anti CSRF solution
plog at hugi.to
Tue Nov 27 05:51:28 EST 2007
Mark Wu wrote:
> I think modification adminaction is easy, but you have to add hidden input
> to all forms we want to protect, then that's not a fun job .. :P
yes I know. We've got quite a lot of forms to work through...
> Take the deleteComment for example, in lifetype we use "deleteComments" to
> delete multiplut comments at the same time, it is a http post request, and
> we also use "deleteComment" to delete one comment in each time, and it is
> http "get" request.
ah, good point. That is the case on many requests. Maybe we should
really think about what we can to in the requestgenerators...
Oh well, I'll think about it and surely be glad for help and feedback
here and there. we'll see if I find an "easy" way to implement all that.
More information about the pLog-svn