<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16544" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=078501614-23112007><FONT face=新細明體
color=#0000ff size=2>Ahmad:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=078501614-23112007><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=078501614-23112007><FONT face=新細明體
color=#0000ff size=2>Do you see what CSRFx does? It is a easy way, especially
when Lifetype use front controller to dispatch the request to the
action.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=078501614-23112007><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=078501614-23112007><FONT face=新細明體
color=#0000ff size=2>We can apply the same skill(concept) to prevent CSRF
without modify the current code ...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=078501614-23112007><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=078501614-23112007><FONT face=新細明體
color=#0000ff size=2>The best is we don't need to modify the action file one by
one.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=078501614-23112007><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=078501614-23112007><FONT face=新細明體
color=#0000ff size=2>So, what do you mean "<FONT color=#000000 size=3>Why don't
you keep it simple as you can ? </FONT>"?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=078501614-23112007><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=078501614-23112007><FONT face=新細明體
color=#0000ff size=2>If you can provide a easy and simple way to prevent CSRF, I
really like to see it.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=078501614-23112007><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=078501614-23112007><FONT face=新細明體
color=#0000ff size=2>Mark</FONT></SPAN></DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=zh-tw dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> plog-svn-bounces@devel.lifetype.net
[mailto:plog-svn-bounces@devel.lifetype.net] <B>On Behalf Of </B>Ahmad
Saleh<BR><B>Sent:</B> Friday, November 23, 2007 8:13 PM<BR><B>To:</B> LifeType
Developer List<BR><B>Subject:</B> Re: [pLog-svn] Anti CSRF
solution<BR></FONT><BR></DIV>
<DIV></DIV>Hi All<BR><BR>Why don't you keep it simple as you can ?
<BR>definitely, there is no full solution for CSRF issue, but you can decrease
it's occurrence time by sending a csrf key on each
request.<BR><BR>Regards,<BR> Ahmad<BR><BR>
<DIV class=gmail_quote>On Nov 23, 2007 1:58 PM, Mark Wu <<A
href="mailto:markplace@gmail.com">markplace@gmail.com</A>> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">I
don't think use db is a good idea ...<BR><BR>We need use file base solution
to avoid db access..<BR>
<DIV class=Ih2E3d><BR>Mark<BR><BR>> -----Original Message-----<BR>>
From: <A
href="mailto:plog-svn-bounces@devel.lifetype.net">plog-svn-bounces@devel.lifetype.net</A><BR></DIV>
<DIV class=Ih2E3d>> [mailto:<A
href="mailto:plog-svn-bounces@devel.lifetype.net">plog-svn-bounces@devel.lifetype.net</A>]
On Behalf Of Reto Hugi<BR>> Sent: Friday, November 23, 2007 6:58 PM
<BR>> To: LifeType Developer List<BR>> Subject: Re: [pLog-svn] Anti
CSRF solution<BR>><BR></DIV>
<DIV>
<DIV></DIV>
<DIV class=Wj3C7c>> Mark Wu wrote:<BR>> > I know we discussion this
issue before, but seems there is <BR>> no soluton<BR>> > for
this.<BR>> ><BR>> > This come the code from google code, maybe
we can borrow<BR>> the idea from<BR>> > this tool<BR>>
><BR>> > <A href="http://code.google.com/p/csrfx/"
target=_blank>http://code.google.com/p/csrfx/</A><BR>>
><BR>><BR>> oh well, I added exactly that link to <A
href="http://bugs.lt.net" target=_blank>bugs.lt.net</A> a couple of<BR>>
minutes ago.... :)<BR>><BR>> I think we can use is to build our
methods in the validation <BR>> classes, and validate the token on a per
action basis. It's<BR>> more efficient than simulating some sort of
pseudo security<BR>> layer on top LTs business logic.<BR>> IMO that
layer should be handled by mod_security, .htaccess <BR>> files and
security appliances.<BR>><BR>> BTW: Do we need an additional table to
implement this? I<BR>> thought it's ok to use the users
session....<BR>> _______________________________________________ <BR>>
pLog-svn mailing list<BR>> <A
href="mailto:pLog-svn@devel.lifetype.net">pLog-svn@devel.lifetype.net</A><BR>>
<A href="http://limedaley.com/mailman/listinfo/plog-svn"
target=_blank>http://limedaley.com/mailman/listinfo/plog-svn
</A><BR><BR>_______________________________________________<BR>pLog-svn
mailing list<BR><A
href="mailto:pLog-svn@devel.lifetype.net">pLog-svn@devel.lifetype.net</A><BR><A
href="http://limedaley.com/mailman/listinfo/plog-svn"
target=_blank>http://limedaley.com/mailman/listinfo/plog-svn</A><BR></DIV></DIV></BLOCKQUOTE></DIV><BR></BLOCKQUOTE></BODY></HTML>