On Dec 12, 2007 9:01 PM, "Andrew A" <[EMAIL PROTECTED]> wrote: > Actually, the suggested prevention tactic is to create a post variable in > your form of type "hidden" with a securely generated one-time ticket that an > attacker would not be able to scrape without performing an xmlhttp call, > therefore signalling a (real) security problem with the app in question. > Requiring the user to re-input their login credentials for every database > write would be absolutely ridiculous from both a design and security > perspective. > > But then again, you must know all this with your extensive experience in web > app security and development.
Yeah dude, we would call that a nonce. Your definition is fine too though... -- Kristian Erik Hermansen "I have no special talent. I am only passionately curious." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/