On Tuesday, July 08, 2014 09:13:14 AM you wrote: > The name of the variable is badly chosen: formPassword is an anti-CSRF > token (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_% > 28CSRF%29 ); do *NOT* touch it. > > As for when to use one, two rules: > 1) if you're changing server side state, you need a POST request > 2) all POST requests need an anti-CSRF token (the exception being a > login page, where credentials -that are unpredictable to an attacker- > are exchanged) > > NextGen$
Thanks for the very short clarification! I've used this as a foundation for a pull request which JavaDocs the formPassword variable and relevant functions, please review it: https://github.com/freenet/fred-staging/pull/260 Also, I have a question about the standard form password validation function: https://github.com/xor-freenet/fred-staging/blob/f2ddcb9cd8c44346e74f6f14313e01f12871d2a2/src/freenet/support/plugins/helpers1/WebInterfaceToadlet.java#L71 It first tries to obtain it from a GET-variable, then from POST. Isn't it unsafe to pass this around via GET?
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
