add request tokens to web.py
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| web.py |
Confirmed
|
Wishlist
|
Aaron Swartz | ||
Bug Description
The typical way to build a web.py application that lets users do things is to:
a) give the user a cookie to log into the site
b) present them with an HTML page with some prepared request (i.e. form or link)
c) do the action when they submit the request
The problem is that, with cross-site scripting attacks, scripts on other pages can cause the user's browser to submit the same request and, since the user already has the cookie, the request will go thru.
To prevent this, request tokens should be sent along with the request. This makes this attack more difficult, since the scripter has to grab the token and then use it to resubmit the request. (Admittedly, this doesn't seem like much of an improvement, but I might be missing something. I guess JavaScript makes it easier to send cross-server POSTs than it does to get the responses of GETs: http://
| description: | updated |
| Changed in webpy: | |
| assignee: | nobody → aaronsw |
| status: | New → Confirmed |
| importance: | Undecided → Wishlist |
| Changed in webpy: | |
| milestone: | none → 0.35 |
| foxbunny (bg-branko) wrote | #1 |
This should probably be a feature in web.form.
* web.form accepts an optional session object
* it saves the token in session and retrieves it at validation
* it needs a configuration option for session expiry timings
* probably a few more things I can't remember at the moment