There are ways to do it for forms and urls. In fact, I have a fully baked implementation of a mitigation in my Tardis framework. The approach is simple, have each page request a token (nonce) from a security component and add it as a hidden to your form, or append it to any url inside your app and then check on the next request to make sure that the token was passed, and that it has never been used before. This also prevents double-submits. Let me know if you'd like a go-to for the code...
________________________________ From: Gerry Gurevich <[email protected]> To: [email protected] Sent: Wednesday, December 17, 2008 3:59:50 PM Subject: [ACFUG Discuss] Cross Site Forgery Question Sorry, I posted to the wrong list initially. Here is my question for the discussion list: I've been asked to investigate this by someone at my company. They found this link as a CF solution. Do you all have any thoughts or opinions on the value of this approach? It seems to only work for form submit actions. What would you do if you had a link to an action page? How would you mitigate against this type of attack? Your thoughts are appreciated. ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
