> > Now, what prevents a hacker from writing a javascript to retrieve a page > from a logged in user on my site, retrieve the CSRF token and make another > javascript request using the token on my forms?? >
Tell me how you would do this. By doing that you'll discover the difficulties yourself. Regards, Rytis On Mon, Feb 16, 2009 at 12:46 AM, Hassen Ben Tanfous < [email protected]> wrote: > Hi, > I started looking at the new code in symfony 1.2 and I have a question. > > If I understand the way CSRF token works, it is generated as a hidden field > in a form and if I use the link_to helpers, it is appended as a parameter in > my links. > > Am I right? > > Now, what prevents a hacker from writing a javascript to retrieve a page > from a logged in user on my site, retrieve the CSRF token and make another > javascript request using the token on my forms?? > > Thanks in advance for any replies > Cheers > > -Hassen Ben Tanfous > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en -~----------~----~----~----~------~----~------~--~---
