On 12/12/06, Jeremy Dunck <[EMAIL PROTECTED]> wrote: > With sparse session keys, the only reasonable attack I can see is MITM > or replay. And no fingerprinting based on the request will help that, > since all the headers are in the clear.
Yup. If you're really concerned about those types of attacks, SSL is your friend. Failing that, requiring HTTP POST + the CSRF middleware for anything remotely sensitive or data-altering is a good thing (I remember mentioning this on a reddit thread about CSRF attacks which were able to do things like add movies to peoples' Netflix queues). -- "May the forces of evil become confused on the way to your house." -- George Carlin --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
