Paul Hammant wrote on 11/23/2008 7:28 AM:
> The article talks of prepending with {"d": and suffixing with } if the
> root node is an array. Is that the best strategy ?
The best strategy is to generate a unique token (nonce) when you create a
session for the user and store that value in their session, then with every
request that you want to protect, include the nonce with the request. So it'd
look like:
$.get("path/to/my/service?nonce=s8NPYG1Nhsy3GI0yFKju" ...)
Then on the server, confirm the nonce passed in matches the nonce stored in the
session before you return any data. Since an attacker won't know the nonce
value, it defeats the CSRF attempt.
- Bil
