Fixing CSRF exploits in Infrastructure

Till Maas opensource at
Wed Nov 26 00:27:47 UTC 2008

On Wed November 26 2008, Toshio Kuratomi wrote:

> To be easy to code, require the token for every request of an
> authenticated user.

If I understand your proposal correctly, a user would need to login again for 
every link he clicks from his bookmarks or any mail he gets from a Fedora 
webapplication, e.g. packagedb. And with every login a previous session is 
invalidated, which also includes links in another open browser tab, where the 
user logged after he clicked the previous link.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
Url : 

More information about the infrastructure mailing list