As long as you have some hash with the cookie forming some part of the CSRF token, each form render has a unique hash for that page.
Thus, its not possible for a hacker to 'gain' access to that page, unless they are sniffing packets and the raw HTML source. If thats the case, you've got much bigger problems. Also if you use a secure hash say sha1 with another salt. it's pretty hard to hack, the worst they can do is DOS, as brute force is very unlikely to be successful. Even more secure would be using this hash, and also changing the session_id often. On Feb 15, 11:46 pm, Hassen Ben Tanfous <[email protected]> wrote: > Hi, > I started looking at the new code in symfony 1.2 and I have a question. > > If I understand the way CSRF token works, it is generated as a hidden field > in a form and if I use the link_to helpers, it is appended as a parameter in > my links. > > Am I right? > > Now, what prevents a hacker from writing a javascript to retrieve a page > from a logged in user on my site, retrieve the CSRF token and make another > javascript request using the token on my forms?? > > Thanks in advance for any replies > Cheers > > -Hassen Ben Tanfous --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en -~----------~----~----~----~------~----~------~--~---
