Jonathan Vanasco wrote: > can't a lot of this be locked down with http referrers?
Until July of this year, checking the Referer was thought to be a pretty good safeguard against CSRF, because an attacker would have to cause a victim to send the right Referer, which isn't so easy. Unfortunately, Amit Klein published some research in July that demonstrated how to do this with Flash. So, if your users use clients that support Flash (which most do), this is not a good safeguard. Chris -- Chris Shiflett http://shiflett.org/