[Seaside-dev] Seaside and CSRF attacks

[tim Rowledge]

It's been a looong time since I did any work with Seaside. In fact I suspect the last thing I did with it was to persuade Avi that separate template files etc weren't nice and I think that lead to seaside 2.

Right now I need to remember/relearn where the system deals with the keys that ensure the incoming requests talk to the right widgets. I have a problem with convincing some potential customers that a seaside application is resistant to a CSRF attack and I'm having a hell of a time digging into the current code. Pointers to to the relevant classes would save some strain on my aging eyes. If anyone has any specific knowledge about the whole CSRF thing I'd be delighted to hear about it! I've tried testing with some OWASP tools (nasty icky java) but it's hard trying to make sense of the problem.

(It doesn't help that this is within a VW8.3 system and I haven't used VW since I stopped being the manager of the VW development group - in '95! )

tim
--
tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
Eagles may soar, but weasels aren't sucked into jet engines.