> Now, what prevents a hacker from writing a javascript to retrieve a page > from a logged in user on my site, retrieve the CSRF token and make > another > javascript request using the token on my forms??
How could an outsider ever get hold of a form that you are only revealing to a user who is logged in? (Unless you have foolishly allowed outside attackers to embed Javascript directly into your templates, in which case you've some serious architectural issues that you need to fix.) --- lawrence krubner Hassen Ben Tanfous wrote: > Hi, > I started looking at the new code in symfony 1.2 and I have a question. > > If I understand the way CSRF token works, it is generated as a hidden field > in a form and if I use the link_to helpers, it is appended as a parameter in > my links. > > Am I right? > > Now, what prevents a hacker from writing a javascript to retrieve a page > from a logged in user on my site, retrieve the CSRF token and make another > javascript request using the token on my forms?? > > Thanks in advance for any replies > Cheers > > -Hassen Ben Tanfous > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en -~----------~----~----~----~------~----~------~--~---
