That was fast, thanks! :D > > ********************************* > > *... By default, Auth protects logins against cross-site request forgeries > (CSRF). This is actually provided by web2py's standard CSRF protection > whenever forms are generated in a session. However, under some > circumstances, the overhead of creating a session for login,password > request and reset attempts may be undesirable. DOS attacks are > theoretically possible. CSRF protection can be disabled for Auth forms (as > of v 2.6):* > *Auth = Auth(..., csrf_prevention = False)* > > *Note that doing this purely to avoid session overload on a busy site is > not recommended because of the introduced security risk. Instead, see the > Deployment chapter for advice on reducing session overheads.......* > > **************************** > So accurate indeed, I'll look deeply the deployment chapter as stated, now that I know the CSRF verification can be bypassed it kinda feels wrong if deactivating that security mecanism... So, will look into overhead, because... This is a backend prototype for Internet of Things... So, overhead, better have the right control. It will be kinda busy as for it's role we want to implement (you can imagine because the requests to server from embedded devices, if everything goes fine, tons of them). I proposed web2py after some noob research, noob because It's a pretty new topic for the rush of businesses growing and asking for IoT solutions and for the time aI was given to build a functional prototype that can migrate or stay at the hosting we have, change from sqlite to MySQL, change from Rocket to Apache and eventually secure it and scalate it. So, web2py is the shot.
I trully want to know your opinion! :D Thanks a lot! Buena vibra! -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
