[Zope-dev] CSRF protection for z3c.form
Tres Seaver
tseaver at palladion.com
Mon Apr 4 12:44:34 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/04/2011 12:23 PM, Wichert Akkerman wrote:
> On 2011-4-4 18:22, Roger wrote:
>> Hi Laurence, Stephan
>>
>> Just because you can write login forms with
>> z3c.form this package has nothing to do with
>> authentication. That's just a form framework!
>>
>> Authentication is defently not a part
>> of our z3c.form framework and should not
>> become one.
>>
>> Why do you think authentication has something
>> to do with the z3c.form library? Did I miss
>> something?
>
> CSRF has nothing to do with authentication. It has to do with securing
> forms on websites.
Imagine that Alice Malice runs a site she tempts Bob Slob to visit while
Bob is logged into your site with privileged credentials. Alice adds
javascript to an apparently harmless page which "spoofs" submitting a
form to your site on Bob's behalf, perhaps granting Alice extra
permissions, or defacing your site.
If your site uses CSRF-protected forms, then "real" forms will contain
hidden field whose value is a "signature" (a hashed value known only to
the server). The server generates the hash when it renders the form,
and stores it in the authenticated user's session; when the form is
submitted, the server checks that the hash is valid before processing
the form. Because it has either a missing or an invalid hash, Alice's
spoofed submission can be rejected.
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2Z9XEACgkQ+gerLs4ltQ60XgCfdsFHMrONDJfLzk/1BNN+ovN9
1ksAn0zWEAnaod3Y3oDlvkCybds1ZMNA
=2/zr
-----END PGP SIGNATURE-----
More information about the Zope-Dev
mailing list