Fixing CSRF exploits in Infrastructure
Till Maas
opensource at till.name
Wed Nov 26 00:27:47 UTC 2008
On Wed November 26 2008, Toshio Kuratomi wrote:
> To be easy to code, require the token for every request of an
> authenticated user.
If I understand your proposal correctly, a user would need to login again for
every link he clicks from his bookmarks or any mail he gets from a Fedora
webapplication, e.g. packagedb. And with every login a previous session is
invalidated, which also includes links in another open browser tab, where the
user logged after he clicked the previous link.
Regards,
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20081126/7c30c860/attachment.bin
More information about the infrastructure
mailing list