Hello, Having a secret field token which consists of user name (or any other unique authentication key) and a secret certainly helps. In this way you have to make sure you validate this token upon each request to your secured form.
You may find this helpful: http://pylonshq.com/docs/en/0.9.7/helpers/#secure-form-tag-helpers <http://pylonshq.com/docs/en/0.9.7/helpers/#secure-form-tag-helpers>Regards, Patrick On Wed, Oct 20, 2010 at 2:11 PM, James <[email protected]> wrote: > Hi, > Is there best practice to avoid CSRF attacks on TG2 servers? > > The options that spring to mind are: > - side-effecty calls must be POST form submissions (and check the HTTP > method in the server method) > - add an unguessable token to side-effecty GET requests > > For the latter, I'm guessing some unique ID from the session would be > best - any tips on what to use specifically? > > Any further suggestions on ways to prevent CSRF? > > Thanks, > James > > -- > You received this message because you are subscribed to the Google Groups > "TurboGears" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<turbogears%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/turbogears?hl=en. > > -- You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/turbogears?hl=en.
