Re: [S2]Architectural answer to CSRF?

[Dale Newfield <Da...@Newfield.org>]

Musachy Barroso wrote:
> If there was a way of doing that, wouldn't it defeat the protection?

Probably, but I was hoping someone might suggest a way that it didn't.

> Another thing, does the HDIV plugin have this already?

Not really--it doesn't prevent the request from being made or acted 
upon, just might make it harder for an attacker to figure out what 
values to pass to get the desired result.  HDIV only really seems to 
help by masking primary key information in URLs -- and I've been careful 
to (just about) never have clients reflect PKs back to me so that I 
don't have to trust them.

-Dale

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org