-----BEGIN PGP SIGNED MESSAGE-----
On 04/04/2011 12:23 PM, Wichert Akkerman wrote:
> On 2011-4-4 18:22, Roger wrote:
>> Hi Laurence, Stephan
>> Just because you can write login forms with
>> z3c.form this package has nothing to do with
>> authentication. That's just a form framework!
>> Authentication is defently not a part
>> of our z3c.form framework and should not
>> become one.
>> Why do you think authentication has something
>> to do with the z3c.form library? Did I miss
> CSRF has nothing to do with authentication. It has to do with securing
> forms on websites.
Imagine that Alice Malice runs a site she tempts Bob Slob to visit while
Bob is logged into your site with privileged credentials. Alice adds
form to your site on Bob's behalf, perhaps granting Alice extra
permissions, or defacing your site.
If your site uses CSRF-protected forms, then "real" forms will contain
hidden field whose value is a "signature" (a hashed value known only to
the server). The server generates the hash when it renders the form,
and stores it in the authenticated user's session; when the form is
submitted, the server checks that the hash is valid before processing
the form. Because it has either a missing or an invalid hash, Alice's
spoofed submission can be rejected.
Tres Seaver +1 540-429-0999 tsea...@palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -