What's to stop the bot from grabbing the token from the home page and
using it in its attack? The token has to be something the
bot can't readily read, e.g., captcha.
On Aug 18, 2007, at 10:11 AM, Carl Johnstone wrote:
Bill Moseley wrote:
Unfortunately, often want to have a login form on the home page and
that page is typically static -- so can't use my token in that
situation.
How about using a variation of the token system. You have a token
that's valid for any request that you change fairly frequently -
say every 5 minutes. Then you dynamically insert that into the home
page.
Then to give you the effect of a static home page, use apache's
mod_cache.
Finally in your login form, you accept any from the last X tokens
where X > 2 (you could've cached the page just before the token
expires) up to whatever life you want to allow.
Carl
_______________________________________________
List: [email protected]
Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/
[email protected]/
Dev site: http://dev.catalyst.perl.org/
_______________________________________________
List: [email protected]
Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
