Hi All<br><br>Why don't you keep it simple as you can ? <br>definitely, there is no full solution for CSRF issue, but you can decrease it's occurrence time by sending a csrf key on each request.<br><br>Regards,<br>
Ahmad<br><br><div class="gmail_quote">On Nov 23, 2007 1:58 PM, Mark Wu <<a href="mailto:markplace@gmail.com">markplace@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I don't think use db is a good idea ...<br><br>We need use file base solution to avoid db access..<br><div class="Ih2E3d"><br>Mark<br><br>> -----Original Message-----<br>> From: <a href="mailto:plog-svn-bounces@devel.lifetype.net">
plog-svn-bounces@devel.lifetype.net</a><br></div><div class="Ih2E3d">> [mailto:<a href="mailto:plog-svn-bounces@devel.lifetype.net">plog-svn-bounces@devel.lifetype.net</a>] On Behalf Of Reto Hugi<br>> Sent: Friday, November 23, 2007 6:58 PM
<br>> To: LifeType Developer List<br>> Subject: Re: [pLog-svn] Anti CSRF solution<br>><br></div><div><div></div><div class="Wj3C7c">> Mark Wu wrote:<br>> > I know we discussion this issue before, but seems there is
<br>> no soluton<br>> > for this.<br>> ><br>> > This come the code from google code, maybe we can borrow<br>> the idea from<br>> > this tool<br>> ><br>> > <a href="http://code.google.com/p/csrfx/" target="_blank">
http://code.google.com/p/csrfx/</a><br>> ><br>><br>> oh well, I added exactly that link to <a href="http://bugs.lt.net" target="_blank">bugs.lt.net</a> a couple of<br>> minutes ago.... :)<br>><br>> I think we can use is to build our methods in the validation
<br>> classes, and validate the token on a per action basis. It's<br>> more efficient than simulating some sort of pseudo security<br>> layer on top LTs business logic.<br>> IMO that layer should be handled by mod_security, .htaccess
<br>> files and security appliances.<br>><br>> BTW: Do we need an additional table to implement this? I<br>> thought it's ok to use the users session....<br>> _______________________________________________
<br>> pLog-svn mailing list<br>> <a href="mailto:pLog-svn@devel.lifetype.net">pLog-svn@devel.lifetype.net</a><br>> <a href="http://limedaley.com/mailman/listinfo/plog-svn" target="_blank">http://limedaley.com/mailman/listinfo/plog-svn
</a><br><br>_______________________________________________<br>pLog-svn mailing list<br><a href="mailto:pLog-svn@devel.lifetype.net">pLog-svn@devel.lifetype.net</a><br><a href="http://limedaley.com/mailman/listinfo/plog-svn" target="_blank">
http://limedaley.com/mailman/listinfo/plog-svn</a><br></div></div></blockquote></div><br>