<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16544" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=344530917-23112007><FONT face=新細明體
color=#0000ff size=2>Ahmad:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=344530917-23112007><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=344530917-23112007><FONT face=新細明體
color=#0000ff size=2>Are you really see the url I attached in this
thread???</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=344530917-23112007><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=344530917-23112007><FONT face=新細明體
color=#0000ff size=2>It is the way as you describe but more
general.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=344530917-23112007><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=344530917-23112007><FONT face=新細明體
color=#0000ff size=2>So, I really have no idea why you said the way is
wrong.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=344530917-23112007><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=344530917-23112007><FONT face=新細明體
color=#0000ff size=2>Mark</FONT></SPAN></DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=zh-tw dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> plog-svn-bounces@devel.lifetype.net
[mailto:plog-svn-bounces@devel.lifetype.net] <B>On Behalf Of </B>Ahmad
Saleh<BR><B>Sent:</B> Saturday, November 24, 2007 12:46 AM<BR><B>To:</B>
LifeType Developer List<BR><B>Subject:</B> Re: [pLog-svn] Anti CSRF
solution<BR></FONT><BR></DIV>
<DIV></DIV>Hi Mark<BR><BR>I think you cannot solve CSRF Issue by just checking
on the request url, I know, it's a part of solution but not a solution, cause
there is no special characters added to url to specify if it's a csrf attack
or not. and also in LifeType you can send parameter by any request method
(GET/POST) <BR><BR>And the easy way which I talked about is by generate a key
on each request and save it in a session (list/queue), send it to view (add it
to urls "?csrfCode=KKHEIKSI883KF83", or but it in a hidden field in the form).
<BR><BR>then check if the csrf code valid in the session list, if so, perform
the process and remove the csrf key from the session and generate another
one.<BR><BR><BR>Regards,<BR> Ahmad<BR></BLOCKQUOTE></BODY></HTML>