Am 04.07.2014 10:21, schrieb Torsten Irländer: > > As I did not wanted to keep track on synchronizer tokens on the > server side, the original web application read the session cookie > from the browser and added the this token as parameter for the > further requests. Thus the server only needs to compare the cookie > and the parameter. > > > Ok, and how did you add this token as parameter the further requests? > Did you enhance the url generation in Pyramid? Hi Torsten,
this might all be rather unorthodox: This was handled by javascript stuff, that reads the cookie. My web application had a bunch of javascript! Of course this would not work in a web application, that does not use javascript. Then you might need to track the synchronizer token on the server side... (see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern) Hm, my solution is really an old, expanded web app, that needs some code cleaning ;-) Kind regards Cornelius
signature.asc
Description: OpenPGP digital signature
