On Sep 24, 1:04 am, Simon Willison <[EMAIL PROTECTED]> wrote: > There's another option that avoids the need for any cookies at all: > generating a persistent one-use-only token when a form is saved, > storing that in the database and only allowing submissions that > include a token that was previously assigned.
Scratch that - the tokens would still need to be assigned to an individual user (almost certainly keyed off a cookie) as otherwise an attacker could create their own tokens and use them to attack another user. It would work for sites protected using HTTP authentication rather than cookies though, as you'd be able to attach each token to the HTTP auth username. I don't think this is a case we need to address though. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
