On Tue, Mar 4, 2008 at 4:42 AM, Sebastiaan van Erk <[EMAIL PROTECTED]> wrote: > The form with the token looks good, the question I have is, why is > something like it not the default (since almost everybody's site will be > vulnerable without it)?
because we are a generic framework and i believe the thinking so far has been that this kind of security is not a requirement but an exception. clearly if you are building a banking app then security is the default and unsecure is the exception. eg we can enable csrf protection out of the box, but then you are completely screwed if you want to have your website indexed - crawlers dont like different urls pointing to same content and they dont support sessions. if our users tell us they want the security to be the default we would make the switch... -igor --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]