2009/3/26 Reed O'Brien <r...@reedobrien.com>:
> I thought it was less about authenticating the user; more about verifying
> that the requestor POSTing a form was the same requestor that requested a
Right, but authentication is one way of identifying a requestor.
> assert request.form.secret_form_id == request.cookie.FORM_ID
Right, that's exactly it; but it might be nice to use an already
> I know this doesn't cover all cases (xmlhttprequest) but AFAIU it is a solid
> way to protect POSTs from CSRF without requiring a shared secret.
You need this secret value to be special to each requestor; one way to
do that is to rely on a session id or credentials.
Repoze-dev mailing list