That's a good reason. thanks! I'll definitely look to migrate then.
We should be relatively immune to this. ajax doesn't appear in browser history, and we refresh the token frequently. On Thursday, December 5, 2013 1:43:18 PM UTC-5, Vincent Catalano wrote: > > According to the OWASP documentation ( > https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet) > > it should be avoided since using it in GET requests could possibly expose > the token via the browser history or server logs. > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/groups/opt_out.
