> form, find all the hidden fields and their values and add
> them to my spoofed form.
>
> This is very difficult to do!!!!.
Yes, and in most cases it's probably not worth your trouble to try to
prevent it.
> Would sessions help? Not allow access to the action page if
> a session is not defined? Much beyond that I'm not sure what
> is practical.
Yes, sessions could help, although you could get the same effect from any
custom token you generated, as long as you create the token prior to getting
to the action page.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
