All you have to do is not put sensitive forms on bookmarkable pages. The bookmarkable pages containing forms should be things like searches, that aren't really meaningful targets for attack. The sensitive forms for things like account info, transactions, etc, should be on session-relative URLs which of course will work with CryptedUrlWebRequestCodingStrategy.
Hope this helps, Jamie mfs wrote: > > Yet another question on the usage CryptedUrlWebRequestCodingStrategy. So > lets say we have implemented the CryptedUrlWebRequestCodingStrategy, now > even in that case wouldn't the following statement be true. > > "All pages which are mounted through any of the > bookmarkable-url-encoding-strategies for NICE urls would STILL be > vulnerable to CSRF attacks? " > > Though the statement wouldn't be true for forms/links or any wicket > event/action on that page (correct me if i am wrong here). To prevent > that we should ensure that : > > - No such critical actions are performed in the constructor of the > page. In other words all such actions (ideally) should be invoked via some > events on the page itself. > > Thanks in advance, > > Farhan. > > -- View this message in context: http://www.nabble.com/HybridUrlCodingStrategy-and-CryptedUrlWebRequestCodingStrategy-tp23960469p25480921.html Sent from the Wicket - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
