Would it make sense to make SecureForm independent of sessions? And I mean not only in individual projects, but in Pylons as the framework. Forms can be authenticated by cookies. Placing same (strong) token into a cookie (instead of session) and into a form hidden field makes it equally inaccessible to CSRF attempts. AFAIK http-only cookies cannot be hijacked by JS, so the only possible form of attack would engineering the victim to visit a malware page that does automatic (say) POST via a hidden form -- but that form would still lack the token which cannot be known.
Or am I missing something? Furthermore, the way I use forms is to have the ability to manually invalidate the protection token. That especially works fine with AJAX forms where token regeneration makes it unnecessarily complex after each submission that results with an error. When the submission results with success, the (python) code can manually invalidate the token, and the ajax code can simply reload the page with the form, obtaining a fresh one. Or it can be "locked" to prevent further submissions (where duplicate posts would be a problem -- think Windows users who doubeclick links and buttons on the web, I've seen them plenty). Also, what about "intermediate" posts? Take a form with an asynchronous file upload, for example a WYSIWYG editor with file management capabilities ((F)CKEditor for instance). One would wish to protect both the main form and the file uploading handler with a SecureForm, or do it manually. With this I find it useful for the file handling controller to "miss" invalidating the security token, relying on the main form post to do it. Or are there better ways I'm missing? Vlad -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
