Thanks David, that worked, I was trying to prevent HTTP GET requests. But I might as well prevent CSRF attacks too. According to your explanation:
1. have to add a hidden input tag with the value of the users session id ( session.id) 2. Retrieve and compare this value, if its missing, sent the dude packing Is that right? On Sep 25, 9:16 pm, David Turner <[EMAIL PROTECTED]> wrote: > On Tue, 2007-09-25 at 18:58 +0000, voltron wrote: > > I have 2 URLs: > > > /profile > > /save_profile > > > "/profile" renders a form that has "/save_profile" as its action > > attribute. Unfortunately, one could do this: > > >www.mydomain.com/save_profile > > > and it would be executed. Is there a way to make such urls not > > callable to the outside world? Can such URLs be masked/hidden? I had > > to add it in my routes configuration otherwise the form would not have > > found it. > > Are you trying to prevent CSRF attacks? If so, the only way is to > include a secret in all your forms that corresponds to the user's > cookie. > > Or are you just trying to not allow HTTP GET requests? If so, pass > conditions=dict(method="POST") to your routing --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to pylons-discuss@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
