2009/3/26 Reed O'Brien <r...@reedobrien.com>:
> I thought it was less about authenticating the user; more about verifying
> that the requestor POSTing a form was the same requestor that requested a
> form.

Right, but authentication is one way of identifying a requestor.

> [snip]
> assert request.form.secret_form_id == request.cookie.FORM_ID

Right, that's exactly it; but it might be nice to use an already
existing cookie.

> I know this doesn't cover all cases (xmlhttprequest) but AFAIU it is a solid
> way to protect POSTs from CSRF without requiring a shared secret.

You need this secret value to be special to each requestor; one way to
do that is to rely on a session id or credentials.

Repoze-dev mailing list

Reply via email to