On Wed, Sep 24, 2008 at 5:29 AM, Brian Beck <[EMAIL PROTECTED]> wrote:
> > On Sep 23, 12:13 pm, oggy <[EMAIL PROTECTED]> wrote: > > Could we just include something like a signed salt+timestamp > > +REMOTE_ADDR in a hidden field? It's not exactly bulletproof because > > of the possibility of a same-IP-CSRF (affecting people behind > > proxies), but it's dead simple and doesn't require a lot of code > > change: Form -> SafeForm + request as the first parameter to __init__. > > Heck, I'd even trust sed to do it for me ;). > > Timestamp and REMOTE_ADDR wouldn't make a proper token unless we also > included the timestamp and REMOTE_ADDR as hidden fields -- the server > needs to be able to *regenerate* the token when the form is submitted > in order to validate the POSTed token. There are still ways to use these or other identifying values without the server having to store them somewhere. csrf_token = "[timestamp]/[remote_addr]/[hash]" where hash = sha1(timestamp + remote_addr + secret_key) eg. 1222204129/123.123.123.123/40bd001563085fc35165329ea1ff5c5ecbdbbeef base64 encode the csrf_token if you want to make it slightly more obscure. eg.MTIyMjIwNDEyOS8xMjMuMTIzLjEyMy4xMjMvNDBiZDAwMTU2MzA4NWZjMzUxNjUzMjllYTFmZjVjNWVjYmRiYmVlZg== then when you get a form submission, base64-decode it, split at "/", check the hash matches by recalculating it, then use the proximity-to-timestamp and the remote_addr to check the form validity. Rob :) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
