On 25.02.2010 18:58, Tom Boutell wrote: > I did much the same thing. But I think it's worth questioning whether > adding the form class adds much security (I'd say "no") and therefore > whether it makes sense to do it. Even if that's just a question for > 2.0 at this point.
I agree, this doesn't really make sense if it poses problems. One interesting way for 2.0 would be to embed that in the request handler. It would generate a token upon session creation (and I do mean once per session, not every request, because that's damn annoying if you use the site with multiple tabs) and then all get*Parameter() methods of the Request class would return null (or exception in dev?) if the token isn't present in a POST request. It would force everyone to use the token in all their forms. Cheers, Jordi
signature.asc
Description: OpenPGP digital signature
