[Seaside-dev] Issue 84 in seaside: make action ids non-incremental
codesite-noreply at google.com
codesite-noreply at google.com
Tue Jul 1 05:21:32 UTC 2008
Issue 84: make action ids non-incremental
http://code.google.com/p/seaside/issues/detail?id=84
Comment #1 by philippe.marschall:
Lukas made a good point: the action id is bound to the continuation id
and the
continuation id is random like the session id. As the user clicks
itself through the
application old continuation ids are discarded.
An attacker would have to make a request without a continuation id to
get a new
continuation id and then parse the result. Although laborious this
would certainly
be doable. However in this case also a random action id could be
circumvented as
well as all known countermeasures to CSRF (tokens).
To conclude, it looks as we're off good as anybody else and the
proposal here
wouldn't improve anything.
Issue attribute updates:
Status: WontFix
Labels: -Priority-Medium Priority-Low
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
More information about the seaside-dev
mailing list