Roundup Tracker - Issues

Message4790

Author joseph_myers
Recipients ber, joseph_myers, schlatterbeck
Date 2013-02-04.14:01:28
Message-id <Pine.LNX.4.64.1302041356010.26120@digraph.polyomino.org.uk>
In-reply-to <1359971024.46.0.325487866363.issue2550690@psf.upfronthosting.co.za> 
https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
(for example) discuss various approaches used to protect against CSRF.  
For Roundup I still think the right approach is a secret token used in all 
forms (and it should not be possible to compute the session ID from this 
token, so that having a leaked copy of a form doesn't allow a third party 
to generate a cookie to impersonate the user).
History
Date User Action Args
2013-02-04 14:01:29joseph_myerssetrecipients: + joseph_myers, schlatterbeck, ber
2013-02-04 14:01:29joseph_myerslinkissue2550690 messages
2013-02-04 14:01:28joseph_myerscreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020