#328: Consider adding support for nonces
-------------------------+--------------------------------------------------
Reporter: david | Owner: david
Type: enhancement | Status: new
Priority: high | Milestone: 1.0
Component: _OTHER_ | Version:
Severity: major | Resolution:
Keywords: |
-------------------------+--------------------------------------------------
Comment (by _cheerios):
Some thoughts:
Could FPF be adjusted to add a hidden text field with nonce as value to
forms? If possible, it would automate everything that is necessary for
nonce support*.
Nonce could be constructed from:
1) cnonce: unique value in user's session
2) salt: a secret value stored server side
(and perhaps, 3) username: username of user stored in session)
After use of nonce, the ''cnonce'' value would be updated in the session
to invalidate the used nonce.
* Ajax calls could be made to work by having the nonce be available as a
global variable that gets appended to the parameters on submit. This is
beyond Agavi.
--
Ticket URL: <http://trac.agavi.org/ticket/328#comment:1>
Agavi <http://www.agavi.org/>
An MVC Framework for PHP5
_______________________________________________
Agavi Tickets Mailing List
[email protected]
http://lists.agavi.org/mailman/listinfo/tickets
