On Sun, 2010-09-05 at 17:07 -0400, Craig Andrews wrote: > As far as my understanding of CSRF goes, the username/password login > process isn't vulnerable to such as attack (because the user isn't logged > in yet, and it's not a target for malicious action, like posting a notice > would be).
That's a good point. I don't know if you were around, but we had someone do a CSRF attack on identi.ca prove that it could be done, and it was really unpleasant (me and Zach stayed up all night patching forms in the software to make sure it wouldn't happen again). I'm not excited about removing those tokens, but... it seems like less of a big deal for login forms. I'd like to hear a third opinion, though, before you remove the code. -Evan ________________________________________________________________________ Evan Prodromou, CEO StatusNet Inc., 1124 rue Marie-Anne Est #32, Montreal, QC H2J 2T5 T: 438-380-4801 x101 C: 514-554-3826 W: http://evan.status.net/ E: [email protected]
_______________________________________________ StatusNet-dev mailing list [email protected] http://lists.status.net/mailman/listinfo/statusnet-dev
