Couldn't a Man In The Middle attacker hijack the form key since it goes by post?
Then keep hitting the server with a bogus request that includes the hijacked key. On Friday, June 29, 2012 12:51:59 AM UTC-4, Anthony wrote: > > The easiest way is to implement this is to replace self.formkey and >> self.session.formkey in gluon/html.py so that it store not one key but the >> last 10 keys. >> > > The number should be configurable. > > >> I am still unsure about this. We can make it work but allowing the past >> 10 open forms to still be submitted can be considered a vulnerability. >> > > How would that be exploited? > > Anthony >
