We do CSRF protection in genshi/pylons like this:
<form py:match="//[EMAIL PROTECTED]'POST']"
accept-charset="us-ascii,utf-8"
py:attrs="select('@*')">
<input type="hidden" name="t_token" value="${h.form_token()}"
/> ${select("*|text()")}
</form>
def form_token(alias=None):
alias = get_alias(alias)
timestamp, nonce, hmac = generate_hmac([alias])
return ":".join([alias, timestamp, nonce, hmac])
def validate_form(kw, alias=None):
alias = get_alias(alias)
try:
token = kw['t_token']
except KeyError:
return False
try:
token_alias, timestamp, nonce, hmac = token.split(':')
except ValueError:
return False
errors = set()
if validate_hmac([token_alias], timestamp, nonce, hmac, errors,
60*60*24) and alias == token_alias:
return True
else:
return False
On Fri, Apr 18, 2008 at 9:04 AM, Jonathan Vanasco <[EMAIL PROTECTED]> wrote:
>
> Django has a neat middleware component
>
> http://www.djangoproject.com/documentation/csrf/
>
> has anyone thought of porting this to pylons?
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
