On Sat, Feb 6, 2010 at 3:30 PM, Haron Media <[email protected]> wrote: > > Would it make sense to make SecureForm independent of sessions? And I > mean not only in individual projects, but in Pylons as the framework. > Forms can be authenticated by cookies. Placing same (strong) token into > a cookie (instead of session) and into a form hidden field makes it > equally inaccessible to CSRF attempts. AFAIK http-only cookies cannot be > hijacked by JS, so the only possible form of attack would engineering > the victim to visit a malware page that does automatic (say) POST via a > hidden form -- but that form would still lack the token which cannot be > known. > > Or am I missing something?
I don't know about the best way to implement SecureForm, but I discovered when I was documenting it that it depends on pylons.session, so it's now under webhelpers.pylonslib in WebHelpers 1.0b4 and later. So you may have to change your import. I don't know whether a sessionless SecureForm is feasable, but if it is we can put it in the old place. But Ben just changed the @secure_form decorator in Pylons, so I doubt it's worth changing again. I did wonder how many people use SecureForm anyway because I don't hear it mentioned that often. -- Mike Orr <[email protected]> -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
