Hash: SHA1

On 04/04/2011 12:23 PM, Wichert Akkerman wrote:
> On 2011-4-4 18:22, Roger wrote:
>> Hi Laurence, Stephan
>> Just because you can write login forms with
>> z3c.form this package has nothing to do with
>> authentication. That's just a form framework!
>> Authentication is defently not a part
>> of our z3c.form framework and should not
>> become one.
>> Why do you think authentication has something
>> to do with the z3c.form library? Did I miss
>> something?
> CSRF has nothing to do with authentication. It has to do with securing 
> forms on websites.

Imagine that Alice Malice runs a site she tempts Bob Slob to visit while
Bob is logged into your site with privileged credentials.  Alice adds
javascript to an apparently harmless page which "spoofs" submitting a
form to your site on Bob's behalf, perhaps granting Alice extra
permissions, or defacing your site.

If your site uses CSRF-protected forms, then "real" forms will contain
hidden field whose value is a "signature" (a hashed value known only to
the server).  The server generates the hash when it renders the form,
and stores it in the authenticated user's session;  when the form is
submitted, the server checks that the hash is valid before processing
the form.  Because it has either a missing or an invalid hash, Alice's
spoofed submission can be rejected.

- -- 
Tres Seaver          +1 540-429-0999          tsea...@palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope )

Reply via email to