On Sep 23, 6:13 pm, oggy <[EMAIL PROTECTED]> wrote: > Could we just include something like a signed salt+timestamp > +REMOTE_ADDR in a hidden field? It's not exactly bulletproof because > of the possibility of a same-IP-CSRF (affecting people behind > proxies), but it's dead simple and doesn't require a lot of code > change: Form -> SafeForm + request as the first parameter to __init__. > Heck, I'd even trust sed to do it for me ;).
Adding a signed field with a timestamp would be a much easier way to secure forms. But it's not nearly as as secure as having the token signed with an additional cookie. By setting a signed cookie you can verify that this very form was displayed to this very client. Also, you don't want to expire a form too early for people who just type slow. And if a token is available for too long someone can generate a proper token and then use it for an attack for too long. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
