> Now, what prevents a hacker from writing a javascript to retrieve a page
> from a logged in user on my site, retrieve the CSRF token and make
> another
> javascript request using the token on my forms??
How could an outsider ever get hold of a form that you are only
revealing to a user wh
As long as you have some hash with the cookie forming some part of the
CSRF token, each form render has a unique hash for that page.
Thus, its not possible for a hacker to 'gain' access to that page,
unless they are sniffing packets and the raw HTML source.
If thats the case, you've got much bigg
>
> Now, what prevents a hacker from writing a javascript to retrieve a page
> from a logged in user on my site, retrieve the CSRF token and make another
> javascript request using the token on my forms??
>
Tell me how you would do this. By doing that you'll discover the
difficulties yourself.
Re